Systems, methods, and user interfaces for intelligent and expedited generation of cybersecurity artifacts using cybersecurity control data objects

ABSTRACT

In some embodiments, a cybersecurity data handling and governance service displays a cybersecurity artifact generation object. In some embodiments, while displaying the cybersecurity artifact generation object, the cybersecurity data handling and governance service receives a first input selecting the cybersecurity artifact generation object. In some embodiments, in accordance with a determination that the first input is directed to generating a first cybersecurity artifact corresponding to a first authoritative information security standard and in accordance with a determination that the first user interface is dedicated to displaying information directed to a respective cybersecurity data catalogue, the cybersecurity data handling and governance service generates the first cybersecurity artifact based on a first set of cybersecurity control data objects included in the respective cybersecurity data catalogue in accordance with submittal-criteria defined by the first authoritative information security standard.

CROSS-REFERENCE TO RELATED APPLICATIONS

This is a continuation of U.S. patent application Ser. No. 17/750,378,filed 22 May 2022, which claims the benefit of U.S. ProvisionalApplication No. 63/300,240, filed 17 Jan. 2022, U.S. ProvisionalApplication No. 63/300,228, filed 17 Jan. 2022, U.S. ProvisionalApplication No. 63/296,152, filed 3 Jan. 2022, and U.S. ProvisionalApplication No. 63/213,199, filed 21 Jun. 2021, which are incorporatedin their entireties by this reference.

TECHNICAL FIELD

This invention relates generally to the cybersecurity field, and morespecifically to new and useful systems, methods, and user interfaces forexpediting generation of one or more digital cybersecurity artifactsusing one or more digital cybersecurity control data objects.

BACKGROUND

Modern entities may typically task information security departments withgaining and/or maintaining organizational compliance with one or moreinformation security standards. Typically, these information securitydepartments maintain data records in non-integrated or disjointedstorage architectures and often are outdated/obsolete and non-extensiblewhen needed. Thus, there are needs in the cybersecurity data handlingand data governance fields for improved systems and methods that enableinformation security departments to maintain data assets and/or datarecords more easily through an extensible information security datahandling and data governance platform.

The embodiments of the present application described herein providetechnical solutions that address, at least, the needs described above,as well as the deficiencies of the state of the art.

BRIEF DESCRIPTION OF THE FIGURES

FIG. 1 illustrates a schematic representation of a system 100 inaccordance with one or more embodiments of the present application; and

FIGS. 2A-2WW illustrate examples of how an information security serviceautomatically creates one or more information security programs and/orautomatically generates one or more information security artifacts inaccordance with some embodiments of the disclosure.

DESCRIPTION OF THE PREFERRED EMBODIMENTS

In the following description of embodiments, reference is made to theaccompanying drawings which form a part hereof, and in which it is shownby way of illustration specific embodiments that are optionallypracticed. It is to be understood that other embodiments are optionallyused and structural changes are optionally made without departing fromthe scope of the disclosed embodiments.

Although the following description uses terms “first,” “second,” etc. todescribe various elements, these elements should not be limited by theterms. These terms are only used to distinguish one element fromanother. For example, a first input could be termed a second input, and,similarly, a second input could be termed a first input, withoutdeparting from the scope of the various described embodiments. The firstinput and the second input are both inputs, but they are not the sameinput.

The terminology used in the description of the various describedembodiments herein is for the purpose of describing particularembodiments only and is not intended to be limiting. As used in thedescription of the various described embodiments and the appendedclaims, the singular forms “a,” “an,” and “the” are intended to includethe plural forms as well, unless the context clearly indicatesotherwise. It will also be understood that the term “and/or” as usedherein refers to and encompasses any and all possible combinations ofone or more of the associated listed items. It will be furtherunderstood that the terms “includes,” “including,” “comprises,” and/or“comprising,” when used in this specification, specify the presence ofstated features, integers, steps, operations, elements, and/orcomponents, but do not preclude the presence or addition of one or moreother features, integers, steps, operations, elements, components,and/or groups thereof.

The term “if” is, optionally, construed to mean “when” or “upon” or “inresponse to determining” or “in response to detecting,” depending on thecontext. Similarly, the phrase “if it is determined” or “if [a statedcondition or event] is detected” is, optionally, construed to mean “upondetermining” or “in response to determining” or “upon detecting [thestated condition or event]” or “in response to detecting [the statedcondition or event],” depending on the context.

Additionally, the following description of the preferred embodiments ofthe inventions are not intended to limit the inventions to thesepreferred embodiments, but rather to enable any person skilled in theart to make and use these inventions.

FIG. 1 illustrates an example computer system (e.g., cybersecuritysystem) that may be configured to visually display, on a computerdisplay device, one or more subscriber-specific information securitydata programs. In one or more embodiments, the computer system may beconfigured and programmed to store, query, and/or generate one or morevisual representations of information security control data and/or oneor more information security artifacts associated with one or more datastructures. Embodiments of the computer system may include, but are notlimited to, a standalone computer system that includes data storage anddisplay components, a multiple computer server system with multiplecomputer components on server systems located within a cloud server, orthe like.

In one or more embodiments, the computer system may include apresentation module, a data rendering instructions module, acommunication module, a data management module, a display device, and adata repository module. The presentation module, data renderinginstructions module, communication module, and data management modulemay each comprise executable instructions loaded into a set of one ormore pages of main memory, such as RAM, in the computer system whichwhen executed may cause the computer system to perform the functions oroperations that are described herein (e.g., the method 300). Forexample, the data rendering instructions module may comprise executableinstructions loaded into a set of pages in RAM that contain instructionswhich when executed cause data rendering functions described herein.

In one or more embodiments, the presentation module, data renderinginstructions module, the communication module, and the data managementmodule may represent one or more files or projects of source code thatmay be digitally stored in a mass storage device such as non-volatileRAM or disk storage, in the computer system or a separate repositorysystem, which when compiled or interpreted may cause generation ofexecutable instructions that, when executed, cause the computer systemto perform the functions or operations described herein. In one or moreembodiments, the presentation module may include instructions togenerate a visual user interface (GUI) to be displayed on the displaydevice. The GUI may comprise controls for receiving user input which maybe used to update or generate a new display of data within the GUI asdescribed in more detail below.

In one or more embodiments, the data rendering instructions module mayinclude instructions to generate a visual display that may visuallyillustrate one or more information security programs, one or moreinformation security control objects of the one or more informationsecurity programs, and/or one or more information security artifactsbased on one or more data structures stored within a data repositorymodule and/or user input that specifies the configuration of the visualdisplay based on the user-selected information security program and thetarget information security artifact to generate. In one or moreembodiments, the data management module may include instructions forperforming functions that manage read operations and write operationsassociated with the data repository module and other functional elementsof the system, including queries and result sets communicated betweenthe functional elements of the system and the data repository module. Inone or more embodiments, the display device may include, but is notlimited to, a computer display screen, a computer projection screen, amobile device screen, or any other digital display configured to presentvisual illustrations of data. The visual representation of theinformation security program, the information security control dataobjects and their relationships, and/or the information securityartifact may then be displayed on the display device for a user (orsubscriber) to view.

In an embodiment, user input may represent input from a user or othercomputer system, external to the computer system, to update or modifythe current visual display on the display device. According to oneembodiment, the techniques described herein are implemented by one ormore special-purpose computing devices. The special-purpose computingdevices may be hard-wired to perform the techniques or may includedigital electronic devices such as one or more application-specificintegrated circuits (ASICs) or field programmable gate arrays (FPGAs)that may be persistently programmed to perform the techniques and/or mayinclude one or more general purpose hardware processors programmed toperform the techniques pursuant to program instructions in firmware,memory, other storage, or a combination. The special-purpose computingdevices may be desktop computer systems, portable computer systems,handheld devices, networking devices or any other device thatincorporates hard-wired and/or program logic to implement thetechniques. For example, the computer system may include a bus or othercommunication mechanism for communicating information, and a hardwareprocessor coupled with the bus for processing information. Hardwareprocessor may be, for example, a general purpose microprocessor.

The computer system may also include a main memory, such as a randomaccess memory (RAM) or other dynamic storage device, coupled to the busfor storing information and instructions to be executed by a processor.The computer system may further include a read only memory (ROM) orother static storage device coupled to the bus for storing staticinformation and instructions for the processor. Execution of thesequences of instructions contained in the main memory may cause theprocessor to perform the process steps described herein. In alternativeembodiments, hard-wired circuitry may be used in place of or incombination with software instructions. The term “storage media” as usedherein refers to any non-transitory media that stores data and/orinstructions that cause a machine to operate in a specific fashion. Suchstorage media may comprise non-volatile media and/or volatile media.Storage media is distinct from but may be used in conjunction withtransmission media. Transmission media participates in transferringinformation between storage media. For example, transmission mediaincludes coaxial cables, copper wire and fiber optics, including thewires that comprise the bus. Transmission media can also take the formof acoustic or light waves, such as those generated during radio-waveand infra-red data communications.

Various forms of media may be involved in carrying one or more sequencesof one or more instructions to the processor for execution. Networklinks typically provide data communication through one or more networksto other data devices. For example, a network link may provide aconnection through a local network to a host computer or to dataequipment operated by an Internet Service Provider (ISP). The ISP inturn may provide data communication services through the worldwidepacket data communication network, commonly referred to as the“Internet”. The computer system may send messages and receive data,including program code, through the network(s), network link andcommunication interface. In the Internet example, a server mighttransmit a requested code for an application program through Internet,ISP, local network and communication interface. The received code may beexecuted by the processor as it is received, and/or stored in a storagedevice, or other non-volatile storage for later execution.

FIGS. 2A-2WW illustrate examples of how an electronic device (or aninformation security service) creates one or more information securityprograms and/or generates one or more information security artifacts inaccordance with some embodiments of the disclosure. The embodiments inthese figures are used to illustrate the processes described below,including the processes described with reference to method 300. AlthoughFIGS. 2A-2WW illustrate various examples of ways an information securityservice (or an electronic device) is able to perform the processesdescribed below with reference to the method 300, it should beunderstood that these examples are not meant to be limiting, and theinformation security service (or the electronic device) is able toperform one or more processes described below with reference to themethod 300 in ways not expressly described with reference to FIGS.2A-2WW.

FIG. 2A illustrates an electronic device 200 that includes a displaygeneration component 202. In some embodiments, the display generationcomponent 202 optionally displays one or more user interfaces thatinclude various content and/or user interface elements provided by aninformation security service. For example, in FIG. 2A, the electronicdevice 200 is displaying a user interface 204 via the display generationcomponent 202. The display generation component 202 optionally displaysthe user interface 204 after the electronic device 200 received one ormore inputs for accessing an information security service (e.g., after auser of the electronic device 200 logged into a subscriber account ofthe information security service and navigated to the user interface204). For example, in FIGS. 2A-2WW, the electronic device 200 iscurrently displaying user interfaces corresponding to Subscriber Abecause Subscriber A is currently logged into the information securityservice at the electronic device 200. It should be understood that, insome embodiments, if a different subscriber of the information securityservice (e.g., Subscriber B) was currently logged into the informationsecurity service instead of Subscriber A, the electronic device 200would optionally display user interfaces associated with that subscriber(e.g., Subscriber B) instead of displaying user interfaces associatedwith Subscriber A as illustrated in FIGS. 2A-2WW. It shall be noted thatthe expression “information security service” may also be referred toherein as “cybersecurity data handling and governance service” or“cybersecurity service.” Thus, the terms “information security” and“cybersecurity” may be used interchangeably herein.

In some embodiments, the electronic device 200 (or the informationsecurity service or the cybersecurity data handling and governanceservice) receives a sequence of one or more inputs for transmitting(e.g., uploading) one or more information security artifacts to theinformation security service. The one or more information securityartifacts (e.g., two or more information security artifacts, three ormore information security artifacts, four or more information securityartifacts, or any number of information security artifacts) that may beuploaded to the information security service may optionally beinformation security artifacts that Subscriber A may have used tocertify a system, service, product, and/or device (e.g., provided bySubscriber A) to one or more information security standards, such asGDPR, HIPAA, ISO 27001, NIST 800-53, NIST 800-171, PCI-DSS, SOC1, SOC 2,SOX, FedRAMP Low, FedRAMP Moderate, FedRAMP High, etc. It shall be notedthat if two or more information security artifacts are uploaded to theinformation security service, the two or more information securityartifacts may be distinct and not easily correlatable to one another(e.g., a FedRAMP information security artifact and an ISO 27001information security artifact).

Information security standards, as generally referred to herein, arepublished by regulatory bodies and include one or more sections, whichin turn include one or more objectives that may need to be satisfied inorder to meet the requirements of a respective information securitystandard—as described in more detail with reference to FIGS. 2RR-2UU. Insome examples, the one or more information security artifactstransmitted to and received by the information security servicecorrespond to different regulatory bodies. For example, a firstinformation security artifact (e.g., an ISO 27001 information securityartifact) and a second information security artifact (e.g., a FedRAMPHigh information security artifact) that is received by the informationsecurity service may be related to different regulatory bodies (e.g.,the regulatory body of the FedRAMP high information security standardmay be different than the regulatory body of the ISO 27001 informationsecurity standard).

For example, the NIST 800-53 standard is published by the NationalInstitute of Standards and Technology (NIST) and includes 18 sectionscorresponding to 921 objectives that may need to be implemented (orplanned to be implemented) by an appropriate system, service, product,and/or device to meet the requirements of the NIST 800-53 standard. Asubset of the sections and objectives for the NIST 800-53 will now bebriefly described below, but for brevity all of the sections andobjectives of the NIST 800-53 standard will not be described nor willall of the sections and objectives of the other information securitystandards mentioned above be described as one of ordinary skill in theart would be familiar with the sections, standards and/or objectivesrequired by each respective information security standard.

A subset of the sections in the NIST 800-53 are as follows: a firstsection in the NIST 800-53 information security standard is directed toAccess Control (AC), a second section in the NIST 800-53 informationsecurity standard is directed to Awareness and Training (AT), a thirdsection in the NIST 800-53 information security standard is directed toAudit and Accountability (AU), a fourth section in the NIST 800-53information security standard is directed to Configuration Management(CM), and a fifth section in the NIST 800-53 information securitystandard is directed to Identification and Authentication (IA). Thefirst section of the NIST 800-53 standard (Access Control) correspondsto 126 distinct objectives that may need to be met by an appropriatesystem, service, product, device, etc. to satisfy the requirements setforth by the first section of the NIST 800-53 information securitystandard. Similarly, the second section of the NIST 800-53 informationsecurity standard (Awareness and Training), the third section of theNIST 800-53 information security standard (Audit and Accountability),the fourth section of the NIST 800-53 information security standard(Configuration Management), and the fifth section (Identification andAuthentication) of the NIST 800-53 information security standard(Identification and Authentication) includes 11 (e.g., distinct)objectives, 63 (e.g., distinct) objectives, 55 (e.g., distinct)objectives, and 57 (e.g., distinct) objectives that may need to besatisfied by an appropriate system, service, product, device, etc. tomeet the requirements of the second, third, and fourth sections of theNIST 800-53, respectively. For example, a first objective of the 126objectives in the first section (Access Control) of the NIST 800-53information security standard is optionally related to single-sign onimplementation requirements, a second objective of the 126 objectives inthe first section (Access Control) of the NIST 800-53 informationsecurity standard is optionally related to concurrent session controlimplementation requirements, a third objective of the 126 objectives inthe first section (Access Control) of the NIST 800-53 informationsecurity standard is optionally related to session lock implementationrequirements, a fourth objective of the 126 objectives in the firstsection (Access Control) of the NIST 800-53 information securitystandard is optionally related to pattern-hiding display implementationrequirements. Example requirements for a respective objective will bedescribed in more detail later, but one of ordinary skill in the artwould understand that each objective in the NIST 800-53 informationsecurity standard may need to be implemented (or planned to beimplemented) via one or more information security controls in the mannerdescribed by that objective for an appropriate system, service, product,device, etc. to satisfy the NIST 800-53 information security standard.Stated another way, an information security standard may include one ormore distinct sets of cybersecurity objectives (e.g., a first set ofcybersecurity objectives, a second set of cybersecurity objectives, orany number of cybersecurity objectives).

In some examples, if Subscriber A wishes to demonstrate that System A,Service A, Product A, and/or Device A satisfies the requirements of aninformation security standard, Subscriber A may submit to the regulatorybody of that information security standard (or to an entity (e.g.,auditor, assessment organization, etc.) acting on behalf of theregulatory body) one or more information security artifacts (e.g., oneor more cybersecurity artifacts) indicating/describing how System A,Service A, Product A, and/or Device A implements one or more informationsecurity controls (e.g., one or more cybersecurity controls) in a mannerthat satisfies the one or more sections and the one or more objectivesset forth in the information security standard. The one or moreinformation security artifacts that may be submitted to a targetregulatory body may need to be periodically resubmitted (e.g., on amonthly basis, a quarterly basis, a yearly basis, etc.) to maintaincompliance with the information security standard for which the one ormore information security artifacts were submitted. In some embodiments,these one or more information security artifacts that are submitted tothe regulatory body (or to the entity acting on behalf of the regulatorybody) must be in a format/structure that is accepted/approved by (e.g.,structurally compliant with) that particular regulatory body. Forexample, if Subscriber A wishes to demonstrate that System A, Service A,Product A, and/or Device A satisfies the FedRAMP High informationsecurity standard, Subscriber A may be required to submit to theregulatory body of the FedRAMP High information security standard (or tothe entity acting on behalf of the regulatory body), an informationsecurity artifact that is structured in a format approved by theregulatory body of the FedRAMP High information security, and thatincludes a description of the information security controls in use (orthat are planned to be in use) by System A, Service A, Product A, and/orDevice A, including how those information security controls areimplemented in a manner that satisfies the sections and objectives ofthe FedRAMP High information security standard.

In some examples, if Subscriber A submits to the regulatory body of arespective information security standard an information securityartifact (e.g., a cybersecurity artifact) that is not structured in aformat approved by the regulatory body of that respective informationsecurity standard (e.g., out of scope, not structurally compliant), theregulatory body (or the entity acting on behalf of that regulatory body)will not accept the information security artifact and/or evaluatewhether System A, Service A, Product A, and/or Device A satisfies therespective information security standard. For ease of description, inthe remaining parts of the disclosure, whether an information securityartifact (e.g., cybersecurity artifact, cybersecurity asset, or thelike) satisfies the format required by a regulatory body (or by anentity acting on behalf of that regulatory body) of a respectiveinformation security standard may generally be referred to herein asevaluation-criteria or submittal-criteria defined by the respectiveinformation security standard (e.g., if the structure/format of theinformation security artifact is in an approved format by a regulatorybody (or by an entity acting on behalf of the regulatory body) such thatthe information security controls of a system, service, product, and/ordevice described in the information security artifact may be evaluatedto or against an information security standard, then the informationsecurity artifact satisfies evaluation-criteria defined by thatinformation security standard). Conversely, if the structure/format ofthe information security artifact is not in an approved format (orstructure) by a regulatory body (or by an entity acting on behalf of theregulatory body) such that the information security controls of asystem, service, product, and/or device described in the informationsecurity artifact cannot be evaluated to or against the informationsecurity standard, then the information security artifact does notsatisfy evaluation-criteria defined by that information securitystandard. Examples of when an information security artifact isdetermined to satisfy evaluation-criteria and not satisfyevaluation-criteria of an information security standard will bedescribed in further detail with reference to FIGS. 2A-2WW.

As shown in FIG. 2A, the user interface 204 of the information securityservice includes a selectable option 206. In some embodiments, theselectable option 206, when selected, optionally causes a file browsinguser interface to be displayed, which is optionally a user interface ofthe operating system running on the electronic device 200 or a userinterface of the information security service. In FIG. 2B, theelectronic device 200 (or the information security service or thecybersecurity data handling and governance service) detected an inputselecting the selectable option 206 (indicated by mouse 208 selectingthe selectable option 206). In FIG. 2C, in response to the electronicdevice 200 (or the information security service) detecting the inputselecting the selectable option 206, the electronic device 200 (or theinformation security service) optionally displays a file browsing userinterface 235-1 that includes a first selectable option 210-1 that, whenselected, optionally causes the electronic device 200 (or theinformation security service) to display one or more representations ofone or more documents/files that have recently been accessed/opened atthe electronic device 200, a second selectable option 210-2 that, whenselected, optionally causes the electronic device 200 to display one ormore representations of one or more applications currently installed onthe electronic device 200, a third selectable option 210-3 that, whenselected, optionally causes the electronic device 200 to display one ormore representations of one or more documents/files that are currentlylocated at the “desktop” or “home” location/folder directory on theelectronic device 200, a fourth selectable option 210-4 that, whenselected, optionally causes the electronic device 200 to display one ormore representations of one or more documents/files that are currentlylocated at the “documents” location/folder directory on the electronicdevice 200, and a fifth selectable option 210-5 that, when selected,optionally causes the electronic device 200 to display one or morerepresentations of one or more documents/files that are currentlylocated at the “downloads” location/folder directory on the electronicdevice 200. It should be understood that, in some embodiments, thebrowsing user interface 235-1 may include fewer or additional selectableoptions than the selectable options 210-1 thru 210-5 illustrated in FIG.2C for accessing additional or different locations/folder directoriesstored on the electronic device 200.

As shown in FIG. 2C, the selectable option 210-3 is currently selected(e.g., has focus), and as a result, the file browsing user interface235-1 is currently displaying one or more representations offiles/documents that are located in the directory named “desktop” on theelectronic device 200, including a first representation of a firstinformation security artifact 212-1 named “SSP #1.docx,” a secondrepresentation of a second information security artifact 212-2 named“SSP #2.docx,” a third representation of a third information securityartifact 212-3 named “SSP #3.docx,” a fourth representation of a fourthinformation security artifact 212-4 named “SSP #4.docx,” a fifthrepresentation of a fifth information security artifact 212-5 named “SSP#5.docx,” and a sixth representation of a sixth information securityartifact 212-6 named “SSP #6.docx.” In some embodiments, the first,second, third, fourth, fifth, and/or sixth information securityartifacts may satisfy (or may be in the process of attempting tosatisfy) evaluation-criteria defined by a first, second, third, fourth,fifth, and/or sixth information security standard, respectively. In someembodiments, different information security standards have differentevaluation-criteria, thus an information security artifact thatsatisfies evaluation-criteria of a first information security standardoptionally does not necessarily satisfy evaluation-criteria of a secondinformation security standard. It should be understood that while thefirst, second, third, fourth, fifth, and sixth information securityartifacts are in the “.docx” file format, the information securityartifacts could optionally be in other file formats while stillsatisfying respective evaluation-criteria of an information securitystandard (e.g., the content and the arrangement (or structure) of suchcontent in the information security artifact is what determines ifevaluation-criteria of an information security is satisfied and not thefile format of an information security artifact).

Additionally, as shown in FIG. 2C, the representations 212-1 thru 212-6have been selected for upload to the information security service(indicated by indications 214-1 thru 214-6). In FIG. 2C, while therepresentations 212-1 thru 212-6 have been selected, the electronicdevice 200 (or the information security service) detects another inputselecting selectable option 210-7 (indicated by mouse 208 selecting theselectable option 210-7). In response to the electronic device 200 (orthe information security service) detecting the selection of selectableoption 210-7, the electronic device 200 optionally transmits theinformation security artifacts corresponding to the representations212-1 thru 212-6 (SSP #1.docx-SSP #6.docx) to the information securityservice, as shown in FIG. 2D. If, after detecting the selection of therepresentations 212-1 thru 212-6, the electronic device 200 detected aninput selecting the selectable option 210-6 instead of the selectableoption 210-7, the electronic device 200 optionally forgoes transmittingthe information security artifacts corresponding to the representations212-1 thru 212-6 (SSP #1.docx-SSP #6.docx) to the information securityservice.

In FIG. 2D, the information security service, via one or more computers,has received the information security artifacts that were transmitted inFIG. 2C, and thus, the user interface 204 now includes therepresentations 212-1 thru 212-6 corresponding to the six (6)transmitted security artifacts by the electronic device 200 (SSP#1.docx-SSP #6.docx) that are optionally satisfying evaluation-criteriadefined by a first, second, third, fourth, fifth, and sixth informationsecurity standard, respectively. The user interface 204 also optionallyincludes selectable options 216-1 thru 216-6 to remove the first,second, third, fourth, fifth, and/or sixth information securityartifacts from the information security service. It should be understoodthat while FIGS. 2A-2D illustrate a scenario in which the electronicdevice 200 transmitted 6 information security artifacts (SSP #1.docxthru SSP #6.docx) to the information security service, the electronicdevice 200 could have submitted fewer or more information securityartifacts (e.g., in accordance with how many representations ofinformation security artifacts were selected when the electronic device200 detected input directed to selectable option 210-7 in FIG. 2C). Insome embodiments, the information security service (e.g., automatically)receives one or more information security artifacts from one or morecomputer systems or devices other than device 200, such as from aserver, system, and/or a second electronic device that is incommunication with the information security service.

In some embodiments, the electronic device 200 creates, in theinformation security service, one or more information security programsthat correspond to the one or more information security artifacts thatwere transmitted to the information security service via one or morecomputes. Example operations and functions that can be performed with arespective information security program in the information securityservice will be described in detail later. In FIG. 2E, the electronicdevice 200 (or the information security service) has detected an inputcorresponding to a request to create, in the information securityservice, an information security program corresponding to each or asubset (e.g., two or more) of the information security artifactstransmitted by the electronic device 200 (indicated by mouse 208selecting selectable option 218). In FIG. 2F, in response to theelectronic device 200 detecting the input in FIG. 2E, the electronicdevice 200 (or the information security service) optionally initiates aprocess to create (or creates), in a web-accessible interface of theinformation security service, an information security programcorresponding to each or a plurality of the information securityartifacts transmitted by the electronic device 200. It should beunderstood that the steps described below related to the process ofcreating one or more information security programs corresponding to theone or more information security artifacts transmitted to theinformation security may be combined and/or omitted. In someembodiments, the order of the steps described below may be changed.

In some embodiments, the process of creating or constructing aninformation security program corresponding to a transmitted informationsecurity artifact includes determining (e.g., predicting) theinformation security standard(s) to which the information securityartifact corresponds. For example, as shown in FIG. 2F, in response tothe electronic device 200 (or the information security service)initiating a process to create an information security program (may alsobe referred to herein as a cybersecurity data catalogue) in theinformation security service corresponding to the first informationsecurity artifact (SSP #1.docx), the electronic device 200 (or theinformation security service) optionally analyzes/evaluates (e.g.,determines) that the first information security artifact (SSP #1.docx)may be of evaluation-criteria defined by the FedRAMP High informationsecurity standard.

In some embodiments, the electronic device 200 (or the informationsecurity service via one or more computers) determined that the firstinformation security artifact (SSP #1.docx) satisfied (or at leastpartially satisfied) the evaluation-criteria defined by the FedRAMP Highinformation security standard via one or more machine learning models oran ensemble of machine learning models that are trained to output theinformation security standard that corresponds to a respectiveinformation security artifact (e.g., if the one or more machine learningmodels or the ensemble of machine learning models outputs that theinformation security artifact corresponds to the first informationsecurity standard, the one or more machine learning models or theensemble of machine learning models determined that the informationsecurity artifact may be of evaluation-criteria defined by the firstinformation security standard. Similarly, if a network of the one ormore machine learning models outputs that the information securityartifact corresponds to the second information security standard, thenetwork of the one or more machine learning models determined that theinformation security artifact may satisfy evaluation-criteria defined bythe second information security standard). In some examples, one or moremachine learning models, the ensemble of machine learning models, or thenetwork of the one or more machine learning models may include one ormore neural networks, such as one or more recurrent neural networks(RNN), convolutional neural networks (CNN), artificial neural networks(ANN), or any suitable type of machine learning models, etc.

Additionally, as shown in FIG. 2F, in some embodiments, the electronicdevice 200 (or the information security service) optionally displays auser interface 222 after (e.g., in response to) determining that thefirst information security artifact (e.g., probably or most likely)satisfies evaluation-criteria defined by the FedRAMP High informationsecurity standard. User interface 222 optionally includes an indicationindicating the confidence (e.g., score) at which the network of machinelearning models predicted that a respective information securityartifact corresponds to a particular information security standard. Forexample, as shown in FIG. 2F, the user interface 222 includes a securitystandard-informed label (e.g., a label) 230 or indication indicatingthat the network of one or more machine learning models, the one or moremachine learning models, or the ensemble of machine learning modelspredicted that the first information security artifact (SSP #1.docx) maybest satisfy the evaluation-criteria of the FedRAMP High informationsecurity standard, and a second indication 228 indicating that thenetwork of one or more machine learning models, the one or more machinelearning models, or the ensemble of machine learning models predictedthat the first information security artifact may satisfy theevaluation-criteria of the FedRAMP High information security standardwith a confidence score of 97. It should be understood that otherinformation security artifacts that are determined to correspond to theFedRAMP High information security standard may have a higher or lowerconfidence score as compared to the confidence score indicated in FIG.2F.

Additionally, as shown in FIG. 2F, the user interface 222 optionallyincludes selectable options 220 thru 220-2. Selectable option 220, whenselected, optionally ceases the process to create, in the informationsecurity service, an information security program corresponding to thefirst information security artifact (and/or ceases the process tocreate, in the information security service, an information securityprogram corresponding to each of the information security artifacts (SSP#1.docx thru SSP #6.docx) that were transmitted to the informationsecurity service, as described in FIGS. 2D and 2E). Selectable option220-1, when selected, optionally causes the electronic device 200 toexecute processes and/or display user interfaces associated withcreating an information security program (e.g., cybersecurity datacatalogue) based on the second information security artifact (SSP#2.docx). Selectable option 220-2, when selected, optionally causes theelectronic device 200 to execute processes and/or display userinterfaces associated with creating an information security programbased on the third information security artifact transmitted via device200 (SSP #3.docx). The process for creating the information securityprograms corresponding to the second, third, fourth, fifth, and/or sixthinformation security artifacts (SSP #1.docx thru SSP #6.docx) isoptionally analogous to the ways in which the electronic device 200 (orthe information security service) creates an information securityprogram corresponding to the first information security artifact (SSP#1.docx).

In some embodiments, the user interface 222 optionally includesselectable options for confirming or rejecting the prediction made bythe network of the one or more machine learning models, the one or moremachine learning models, or the ensemble of machine learning models. Forexample, as shown in FIG. 2G, the user interface 222 includes aselectable option 224 that, when selected, confirms that the firstinformation security artifact (SSP #1.docx) is an information securityartifact of the FedRAMP High information security standard. In someembodiments, in response to the electronic device 200 (or theinformation security service) receiving an input confirming that firstinformation security artifact (SSP #1.docx) satisfiesevaluation-criteria of the FedRAMP High information security standard,the electronic device 200 (or the information security service) causesthe information security program corresponding to the first securityartifact (SSP #1.docx) to include (or initialize or instantiate) aselectable/interactable hierarchical (e.g., tree-like) structure of theFedRAMP High information security standard (and optionally theobjectives and/or sections of the FedRAMP High information securitystandard) as will be described in more detail in FIGS. 2RR-2UU. In otherwords, the information security service may fast-generate and/orsystem-generate a target information security program (e.g., FedRAMPHigh Information Security Standard) that may relate to the informationsecurity standard in response to receiving an information securityprogram construction signal based on the information security servicereceiving an input (from a target user) confirming that firstinformation security artifact (SSP #1.docx) satisfiesevaluation-criteria of the FedRAMP High information security standard.Stated differently, in some embodiments, the information securityservice may system-generate an information security program for a targetinformation security artifact in fifteen (15) or less user inputs,fourteen (14) or less user inputs, thirteen (13) or less user inputs,twelve (12) or less user inputs, eleven (11) or less user inputs, ten(10) or less user inputs, nine (9) or less user inputs, eight (8) orless user inputs, seven (7) or less user inputs, six (6) or less userinputs, five (5) or less user inputs, four (4) or less user inputs,three (3) or less user inputs, two (2) or less user inputs, or one (1)or less user inputs after a target subscriber logs into the informationsecurity service.

It shall be noted that, in one or more embodiments, in response to theelectronic device 200 (or the information security service) receiving aninput confirming that the first information security artifact (SSP#1.docx) satisfies evaluation-criteria of the FedRAMP High informationsecurity standard, the electronic device 200 (or the informationsecurity service) may function to selectively source asubscriber-agnostic information security program of a plurality ofdistinct subscriber-agnostic information security programs based on theinput confirming the type of information security artifact (e.g.,confirming label 230). A subscriber-agnostic information securityprogram, as generally referred to herein, may be a service-definedinformation security program template specifically configured for adistinct information security standard that may include at least oneinformation security object digitally mapped to each informationsecurity objective defined by the information security standard.

In a first implementation, a subscriber-agnostic information securityprogram may be defined for each recognized information security standardof the information security service. In such implementation, via areference table or any suitable data structure, each distinctinformation security standard recognized by the information securityservice may be mapped or electronically linked to a distinctsubscriber-agnostic information security program to which thesubscriber-agnostic information security service corresponds. Forinstance, in a non-limiting example a first information securitystandard may be mapped to a first subscriber-agnostic informationsecurity program, and a second information security standard may bemapped to a second subscriber-agnostic information security program.

Accordingly, in one or more embodiments of the first implementation,based on the input confirming the type of the first information securityartifact (e.g., label 230), the information security service mayfunction to automatically source (or trigger or cause a system-generatedspin-up or intelligent creation) of a (e.g., pre-fabricated)subscriber-agnostic information security program based on performing asearch of the reference mapping data structure or the like using thelabel 230 or the like. In such embodiments, the sourced (or identifiedor detected) subscriber-agnostic information security program may beinitialized or instantiated in the information security service for atarget subscriber (e.g., subscriber A). Additionally, in someembodiments, in response to the instantiation, the information securityservice may function to install selective subsets of informationsecurity control data included in the uploaded information securityartifact into selective portions of the subscriber-agnostic informationsecurity program, and thus, a subscriber-specific information securityprogram.

Alternatively, if the electronic device 200 (or the information securityservice) did not detect the input for confirming that the firstinformation security artifact (SSP #1.docx) satisfies theevaluation-criteria of the FedRAMP High information security standard,the electronic device 200 (or the information security service)optionally forgoes causing the information security programcorresponding to the first security artifact (SSP #1.docx) (e.g., theinformation security program that is in the process of being created inthe information security service in FIG. 2G) to include (or initializeor instantiate) the selectable/interactable hierarchical (e.g.,tree-like) structure of the FedRAMP High information security standard.

It should be understood that if the electronic device 200 (or theinformation security service) would have instead determined that thefirst information security artifact (SSP #1.docx) corresponds to adifferent information security standard other than the FedRAMP Highinformation security standard, a selectable/interactable hierarchical(e.g., tree-like) structure of the different information securitystandard would have been added (or initialized or instantiated) to theinformation security program corresponding to the first informationsecurity artifact (SSP #1.docx) in response to the electronic devicedetecting a selection of the selectable option 224.

In some embodiments, in response to the electronic device 200 (or theinformation security service) detecting the input selecting theselectable option 224, an information security program corresponding tothe first information security artifact (SSP #1.docx of Subscriber A) isautomatically created in the information security service and optionallyviewable in a web-accessible interface in electronic communication withthe information security service, as illustrated and described in FIGS.2BB and 2CC (e.g., the user interface 259 in FIG. 2BB includes arepresentation 225-1 of the information security program #1 because theinformation security program #1, which corresponds to the firstinformation security artifact (SSP #1.docx)). In some embodiments, whenthe information security program corresponding to the first informationsecurity artifact (SSP #1.docx) is created in FIG. 2G, the informationsecurity program corresponding to the first information securityartifact (SSP #1.docx) does not include any information security controlobject data (e.g., until one or more information security controlobjects are added to the information security program corresponding tothe first information security artifact (SSP #1.docx) in similar ways asdescribed below). Alternatively, in some embodiments, the informationsecurity program corresponding to the first information securityartifact (SSP #1.docx) is not created in the information securityservice until the electronic device 200 (or the information securityservice) detects one or more inputs for adding the one or moreinformation security control objects to the information security programcorresponding to the first information security artifact (SSP #1.docx).

Additionally, as shown in FIG. 2G, the user interface 222 optionallyincludes a selectable option 226 that, when selected, rejects that thefirst information security artifact (SSP #1.docx) is an informationsecurity artifact of the FedRAMP High information security standard. Itshall be noted that if the electronic device 200 (or the informationsecurity service) would have instead determined that the firstinformation security artifact (SSP #1.docx) corresponds to a differentinformation security standard other than the FedRAMP High informationsecurity standard, then, in FIG. 2G, selectable option 226 would beselectable to reject that the first information security artifact (SSP#1.docx) corresponds to that different information security standard.

In FIG. 2H, the electronic device 200 (or the information securityservice) has detected an input that corresponds to a selection of theselectable option 226 (indicated by mouse 208 selecting the selectableoption 226). In some embodiments, in response to the electronic device200 (or the information security service) detecting the input describedin FIG. 2H, the electronic device 200 (or the information securityservice) optionally displays the user interface 222-1, as will be nowdescribed with reference to FIG. 2I. In some embodiments, the userinterface 222-1 includes a label 230 prompting the user of theelectronic device 200 to select the correct information securitystandard that corresponds to the first information security artifact(SSP #1.docx), a search field 231, and/or search results 232-1 thru232-4 that are displayed based on the input provided to the search field231. For example, the search results 232-1 thru 232-4 are optionallybeing displayed by the electronic device 200 (or the informationsecurity service) because the electronic device 200 (or the informationsecurity service) received the input “Sta” at the search field 231(e.g., the substring “Sta” is included in the search results 232-1 thru232-4). It should be understood that the electronic device 200optionally displays different search results than search results 232-1thru 232-4 if the electronic device 200 (or the information securityservice) received a different input at the search field 231.

Additionally, as shown in FIG. 2I, the electronic device 200 (or theinformation security service) has received an input indicating thatsearch result 232-1 corresponding to Information Security Standard #1 isthe information security standard that corresponds to the firstinformation security artifact (SSP #1.docx) (indicated by indication236) and not the FedRAMP High information security standard as initiallypredicted/determined (e.g., by the one or more machine learning (e.g.,classification) models) as described with respect to FIG. 2F.

In some embodiments, in response to the electronic device 200 (or theinformation security service) receiving the input indicating that thefirst information security artifact (SSP #1.docx) satisfiesevaluation-criteria of the Information Security Standard #1, theelectronic device 200 (or the information security service) causes theinformation security program corresponding to the first securityartifact (SSP #1.docx) to include (or instantiate or source) aselectable/interactable hierarchical (e.g., tree-like) structure of theInformation Security Standard #1 in analogous ways as described above.

If the electronic device 200 (or the information security service) didnot detect the input for confirming that the first information securityartifact (SSP #1.docx) satisfies the evaluation-criteria of theInformation Security Standard #1 (e.g., did not receive the inputselecting the search result 232-1), the electronic device 200 (or theinformation security service) optionally forgoes causing the informationsecurity program corresponding to the first information securityartifact (SSP #1.docx) to include (or instantiate or source) theselectable/interactable hierarchical (e.g., tree-like) structure of theInformation Security Standard #1. Similarly, if electronic device 200(or the information security service) did not receive the inputselecting search result 232-1 in FIG. 2I and instead detected an inputselecting one or more of the search results 232-2 thru 232-4, theinformation security program corresponding to the first securityartifact (SSP #1.docx) would optionally instead include (or source orinstantiate) one or more selectable/interactable hierarchical (e.g.,tree-like) structures for the different information security standards(e.g., Information Security Standard #2, 3, and/or 4) in analogous waysdescribed above. In some embodiments, in response to the electronicdevice 200 detecting the input selecting the search result 232-1, theinformation security program corresponding to the first informationsecurity artifact (SSP #1.docx) is created in the information securityservice in similar ways as described with respect to FIG. 2G.

In embodiments where the electronic device 200 (or the informationsecurity service) utilizes the network of one or more machine learningmodels to determine the information security standard(s) correspondingto a transmitted information security artifact, the inputs described inFIGS. 2F-2I may be used to update the training data of the network ofthe one or more machine learning models and/or may be used in retrainingthe network of the one or more machine learning models. For example, ina non-limiting example, the electronic device 200 (or the informationservice) may update the training data of the network of the one or moremachine learning models to include the first information securityartifact (SSP #1.docx) (e.g., as a feature of the network) and theinformation security standard to which it corresponds (e.g., as a labelof the network)—the FedRAMP High information security standard—inresponse to the electronic device 200 receiving the input in FIG. 2G.After the training data for the network of the one or more machinelearning models is updated, the information security service or theelectronic device 200 optionally triggers one or moreprocesses/operations for retraining the network of the one or moremachine learning models with the updated training data samples.

FIG. 2J illustrates a user interface 222-2 that is optionally displayedin response to the electronic device 200 (or the information securityservice) receiving the input in FIG. 2G for confirming that the firstinformation security artifact (SSP #1.docx) is an information securityartifact of the FedRAMP High information security standard. If theelectronic device 200 would have instead received input indicating thatthe first information security artifact (SSP #1.docx) corresponds to adifferent information security standard, the information displayed inthe user interface 222-2 would correspond to that information securitystandard, as will be understood from the description below. In one ormore embodiments, the information security service may function toconstruct an intelligent contextual schematic that includes a pluralityof metrics relating to a target security artifact that may be displayedto a target subscriber. The user interface 222-2 may be in asystem-default format that may be configured to visually display themetrics in a standardized arrangement across the entire subscriber baseof the information security service or the user interface 222-2 may bepersonalized (or customized) to display one or more relevant metrics(e.g., relevant metrics exceeding a complexity threshold, not displayingmetrics that are irrelevant (e.g., if all controls are validated displayonly the control validated metric and not the other metrics as thosewill be non-salient to a user's understanding of the informationsecurity artifact).

In some embodiments, after determining that the first informationsecurity artifact (SSP #1.docx) satisfies evaluation-criteria of theFedRAMP High information security standard, the electronic device 200(or the information security service) determines if one or more of theobjectives defined by the FedRAMP High information security standard donot correspond to at least one information security control described(or included) in the first information security artifact (SSP #1.docx).For example, in FIG. 2J, the user interface 222-2 includes an indication242 indicating that 11 of the objectives (e.g., objectives #1-#11) ofthe FedRAMP High information security standard do not correspond toleast one information security control of the first information securityartifact (SSP #1.docx). In some embodiments, the electronic device 200(or the information security service) determined that the firstinformation security artifact (SSP #1.docx) did not include informationsecurity control data directed to any of the 11 objectives (e.g.,objectives #1-#11) in the FedRAMP High information security standardbecause (1) the portions (e.g., sections) of the first informationsecurity artifact corresponding to the 11 objectives did not include acontrol data description about a corresponding information securitycontrol, (2) the first information security artifact did not include anyportions corresponding to any of the 11 objectives, etc. In someembodiments, if the electronic device 200 (or the information securityservice) determines that one or more of the objectives of an informationsecurity standard do not correspond to at least one describedinformation security control (e.g., information security control data)in the first information security artifact (SSP #1.docx), the firstinformation security artifact (SSP #1.docx) does not satisfyevaluation-criteria of that information security standard.

In some embodiments, the portions (e.g., sections) of the firstinformation security artifact corresponding to the 11 objectives arequarriable (or searchable) by converting the contents of the firstsecurity artifact to a searchable structure (e.g., XML, JSON, and/orYAML equivalent). It should be understood that if the electronic device200 (or the information security service) determined that the firstinformation security artifact (SSP #1.docx) corresponds to a differentinformation security standard other than FedRAMP High informationsecurity standard, the determination described above would be maderelative to the different information security standard and not to theFedRAMP High information security standard. In some embodiments, theelectronic device 200 (or the information security service) does notdisplay the indication 242 if all of the objectives in the FedRAMP Highinformation security standard correspond to at least one informationsecurity control (or information security control data) described in thefirst information security artifact (SSP #1.docx).

In some embodiments, after determining that the first informationsecurity artifact (SSP #1.docx) satisfies evaluation-criteria of theFedRAMP High information security standard, the electronic device 200(or the information security service) determines if one or moreinformation security controls described in the first informationsecurity artifact (SSP #1.docx) are associated with one or moreanomalies. In some embodiments, if the electronic device 200 (or theinformation security service) determines that one or more of theinformation security controls described in the first informationsecurity artifact (SSP #1.docx) are associated with one or moreanomalies, the first information security artifact does not satisfyevaluation-criteria of a respective information security standard (e.g.,the FedRAMP High information security standard). For example, in FIG.2J, the user interface 222-2 includes an indication 240 as a result ofthe electronic device 200 (or the information security service)determining that 29 of the information security controls described(e.g., documented) in the first information security artifact areassociated with one or more anomalies (e.g., errors when comparedagainst requirements of the information security standard).

In some embodiments, the electronic device 200 (or the informationsecurity service) determines that an information security controldescribed (e.g., documented) in the first information security artifactis associated with one or more anomalies in response to determining thatan entity (e.g., person, company, team, etc.) responsible for managingthe information security control has not been indicated in the firstinformation security artifact. For example, a first information securitycontrol of the 29 information security determined to be associated withone or more anomalies may be anomalous because the control descriptiondata of the first information security control in the first informationsecurity artifact (SSP #1.docx) does not indicate the entity responsiblefor managing the first information security control and/or because theentity described as being responsible for managing the first informationsecurity control has not yet been defined in the information securityservice (e.g., is not recognized by the information security service(e.g., an entity object corresponding to that entity has not yet beencreated in the information security service)). In some embodiments,entity objects are mapped to information security programs and/orinformation security controls created in the information securityservice, as will be described in greater detail below. In someembodiments, the description of an information security control in thefirst information security artifact, including the entity responsiblefor managing the information security control, is quarriable byconverting the contents of the first security artifact to a searchablestructure (e.g., XML, JSON, and/or YAML equivalent). In some examples,an information security control described in the first informationsecurity artifact is not necessarily anomalous if the description ofthat information security control does not include the entityresponsible data for managing that described information securitycontrol (e.g., if the objective in the information security standard towhich the information security control corresponds does not require theentity responsible to be named). In some embodiments, if the entitydescribed as being responsible for managing the first informationsecurity control has not yet been defined in the information securityservice, an entity object corresponding to that entity is automaticallycreated in the information security service.

In some embodiments, the electronic device 200 (or the informationsecurity service) determines that an information security controldescribed (e.g., documented) in the first information security artifactis associated with one or more anomalies in response to determining thatone or more parameters of a corresponding objective are incorrectlydocumented in the description of the information security control in thefirst information security artifact (SSP #1.docx) and/or because the oneor more parameters of the corresponding objective are not documented inthe description of the information security control in the firstinformation security artifact (SSP#1.docx). For example, an objective ofan information security standard may require that user accountsassociated with the system, service, product, and/or device that isattempting to be certified to the information security standard arereviewed for compliance with account management requirements at leastannually. Thus, if the information security control wasdocumented/described in the first security artifact (SSP #1.docx) as notsemantically satisfying the at least annual requirement (e.g., wasdescribed as being evaluated at least every two years, once every threeyears, etc.) then that information security control is optionallydetermined to be anomalous. The described information security controldata in the first information security artifact (SSP #1.docx)corresponding to the above-described objective of the informationsecurity standard may also be determined to be anomalous if thecorresponding description data of the information security control didnot include any description about the duration in which user accountsare reviewed for compliance and account management requirements.

It should be understood that while the parameter of the above-describedobjective includes a time requirement in which the correspondinginformation security controls must be reviewed to satisfy thatobjective, other objectives may include parameters that are not timebased (e.g., may instead have a parameter that has a predefined/limitednumber of value choices, a parameter that must be of a certain type(e.g., date, numerical, etc.), etc.), which may be determined to beanomalous in analogous ways as described above. In some embodiments, thedescription data of an information security control in the firstinformation security artifact, including the parameters corresponding tothe objective (to which the information security control corresponds),is quarriable by converting the contents of the first security artifactto an XML, JSON, and/or YAML equivalent. In some examples, aninformation security control described in the first information securityartifact is not necessarily anomalous if the description of thatinformation security control does not include a description of theparameters for the corresponding objective (e.g., if the objective inthe information security standard to which the information securitycontrol corresponds may not require any parameters) (e.g., someobjectives in the information security standard requires parameters tobe defined in the description of the corresponding information securitycontrol(s) and others do not).

In some embodiments, the electronic device 200 (or the informationsecurity service) determines that an information security controldescribed (e.g., documented) in the first information security artifactis associated with one or more anomalies in response to determining thatan implementation status of that information security control has notbeen indicated. For example, a second information security control ofthe 29 information security controls that were determined to beassociated with one or more anomalies may have been determined to beanomalous because the description of the second information securitycontrol in the first information security artifact (SSP #1.docx) doesnot indicate the implementation status (e.g., implemented, partiallyimplemented, planned, alternative implementation, not applicable, etc.)of the second information security control relative to the system,service, product, and/or device that is attempting to be certified tothe information security standard. In some embodiments, the descriptionof an information security control in the first information securityartifact, including the implementation status of the informationsecurity control, is quarriable by converting the contents of the firstsecurity artifact (SSP #1.docx) to an XML, JSON, and/or YAML equivalent.In some examples, an information security control described in the firstinformation security artifact is not necessarily anomalous if thedescription of that information security control does not include theimplementation status of the information security control (e.g., if theobjective in the information security standard to which the informationsecurity control corresponds does not require the implementation statusto be defined).

In some embodiments, the electronic device 200 (or the informationsecurity service) determines that an information security controldescribed (e.g., documented, documented data) in the first informationsecurity artifact is associated with one or more anomalies in responseto determining that the entity responsible for implementing thatinformation security control has not been indicated. For example, athird information security control of the 29 information securitycontrols that was determined to be associated with one or more anomaliesmay be determined to be anomalous because the description of the thirdinformation security control in the first information security artifact(SSP #1.docx) does not indicate which entity is responsible forimplementing the third information security control (e.g., serviceprovider, customer, customer and service provider, etc.) for the system,service, product, and/or device that is attempting to be certified tothe information security standard. In some embodiments, the descriptionof an information security control in the first information securityartifact, including the entity that is responsible for implementing aninformation security control, is quarriable by converting the contentsof the first security artifact (SSP #1.docx) to an XML, JSON, and/orYAML equivalent. In some examples, an information security controldescribed in the first information security artifact is not necessarilyanomalous if the description of that information security control doesnot include an entity responsible for implementing the informationsecurity control (e.g., if the objective in the information securitystandard to which the information security control corresponds does notrequire the entity responsible for implementing the information securitycontrol to be defined).

In some embodiments, the electronic device 200 (or the informationsecurity service) determines that an information security controldescribed (e.g., documented) in the first information security artifactis associated with one or more anomalies in response to determining thatimplementation details regarding the information security control hasnot been indicated/provided. For example, a fourth information securitycontrol of the 29 information security controls that were determined tobe associated with one or more anomalies may be determined to beanomalous because the description of the fourth information securitycontrol in the first information security artifact (SSP #1.docx) doesnot include any implementation details (or include at least a portion ofthe required implementation details for the corresponding objective). Insome embodiments, the description of an information security control inthe first information security artifact, including the implementationdetails of the information security control, is quarriable by convertingthe contents of the first security artifact (SSP #1.docx) to an XML,JSON, and/or YAML equivalent. In some examples, an information securitycontrol described in the first information security artifact is notnecessarily anomalous if the description of that information securitycontrol does not include implementation details (e.g., the objective inthe information security standard to which the information securitycontrol corresponds may not require the implementations details for theinformation security control to be defined).

In some embodiments, after determining that the first informationsecurity artifact (SSP #1.docx) satisfies evaluation-criteria of theFedRAMP High information security standard, the electronic device 200(or the information security service) determines which informationsecurity controls described in the first information security artifact(SSP #1.docx) are not associated with one or more anomalies (e.g., suchas the anomalies described above). For example, in FIG. 2J, the userinterface 222-2 includes an indication 244 in response to the electronicdevice 200 (or the information security service) determining that 299 ofthe information security controls described (e.g., documented,documented data, control data) in the first information securityartifact are not associated with one or more anomalies (e.g., indication244 indicates that 299 of the information security controls described inthe first information security artifact (SSP #1.docx) are validated withno anomalies). Additionally, in some embodiments, the user interface222-2 includes an indication of the total number of information securitycontrols that have been detected from the first information securityartifact (SSP #1.docx). For example, as shown in FIG. 2J, the userinterface 222-2 includes an indication 238 indicating that theelectronic device 200 (or the information security service) has detected(e.g., determined) that the first information security artifact (SSP#1.docx) includes information describing 328 (e.g., distinct)information security controls.

As will be described in more detail later, in some embodiments, theprocess of creating, via one or more computers of the informationsecurity service, the information security program may includeautomatically mapping (e.g., determining) the information securitycontrols detected in the first information security artifact (SSP#1.docx) to the sections and/or objectives of the correspondinginformation security standard, as will be described in more detail inFIGS. 2TT and 2UU. In some embodiments, the objective(s) of an industrystandard to which a respective information security control described inthe first information security artifact corresponds is quarriable byconverting the contents of the first security artifact (SSP #1.docx) toan XML, JSON, and/or YAML equivalent.

As shown in FIG. 2K, while the electronic device 200 (or the informationsecurity service) is displaying the user interface 222-2, the electronicdevice 200 (or the information security service) optionally receives aninput selecting the indication 244, previously described above(indicated by mouse 208 selecting indication 244). In response to theelectronic device 200 (or the information security service) receivingthe input selecting the indication 244 in FIG. 2K, the electronic device200 (or the information security service) optionally displays, via thedisplay generation component 202, the user interface 246 illustrated inFIG. 2L. In some embodiments, the electronic device 200 (or theinformation security service) creates, in the information securityservice, one or more information security control objects correspondingto the one or more information security controls described (e.g.,documented, control data) in a respective information security artifact.For example, the electronic device 200 (or the information securityservice) optionally creates, in the information security service, one ormore information security control objects corresponding to the one ormore information security controls described/documented (e.g., controldata) in the first information security artifact (SSP #1.docx) inresponse to the electronic device 200 (or the information securityservice) transmitting the first information security artifact (SSP#1.docx) to the information security service (as described in FIGS.2A-2E). In some embodiments, the one or more information securitycontrol objects corresponding to the one or more information securitycontrols may be in a pending state (e.g., not actively linked to aninformation security program) and displayed on a web interface of theinformation security service that may be viewable by a target subscriberto the information security service.

In response to the electronic device 200 (or the information securityservice) receiving the input selecting the indication 244 as describedin FIG. 2K, the electronic device 200 (or the information securityservice) optionally displays, via the display generation component 202,(e.g., control object) representations 254-1 thru 254-299 in the tableuser interface element 260, which are representations of the informationsecurity controls objects that correspond to the 299 informationsecurity controls that were determined to have no errors (e.g., noanomalies) in the first information security artifact (SSP #1.docx). Itshould be understood that if the electronic device 200 (or theinformation security service) determined the first information securityartifact (SSP #1.docx) included (e.g., described) fewer or moreinformation security controls that were not associated with anyerrors/anomalies, table 260 would optionally include more or fewerrepresentations of information security control objects accordingly.

In some embodiments, the representations 254-1 thru 254-299 areselectable to display information (or data) associated with theinformation security control object to which it corresponds (e.g., suchas the entity responsible data for the information security control,values of the parameter(s) of the objective(s) that correspond to theinformation security control, implementation status data, controlorigination data, implementation details data, etc.). For example, inFIG. 2M, the electronic device 200 (or the information security service)is detecting a selection of the representation 254-1 corresponding tothe information security control object #1 (which corresponds to theinformation security control #1 described in the first informationsecurity artifact (SSP #1.docx)). In response to the electronic device200 detecting the selection of the representation 254-1 of theinformation security control object #1, the electronic device 200 (orthe information security service) optionally displays the user interface264 illustrated in FIG. 2N. In some embodiments, the user interface 264includes a label 264-1 indicating that the information displayed in theuser interface 264 corresponds to the information describing informationsecurity control #1 in the first information security artifact (SSP#1.docx).

User interface 264, in some embodiments, also optionally includes anindication of the objective(s) in the FedRAMP High information securitystandard that correspond to the information security control #1 in thefirst information security artifact (SSP #1.docx) (or an indication ofthe objective(s) in a different information security standard if theelectronic device 200 (or the information security service) determinedthe first information security artifact (SSP #1.docx) corresponds to thedifferent information security standard).

Additionally, as shown in FIG. 2N, the user interface 264 optionallyincludes fields 266-1 thru 266-5, which will now be described. Field266-1 includes a label “Responsible Role” with a (e.g., data) value“Information Security Management Team,” field 226-2 includes a label“Parameter 1” with a (e.g., data) value “Technology Leadership,” field266-3 includes a label “Implementation Status” with a (e.g., data) value“Implemented,” field 266-4 includes a label “Control Origination Status”with a (e.g., data) value “Service Provider Corporate,” and field 266-5includes a label “Implementation Status Details” with a (e.g., data)value as illustrated in FIG. 2N. In some embodiments, the electronicdevice 200 (or the information security program) automatically created,via one or more computers, the information security control object #1(e.g., the information security object being displayed in user interface264 in FIG. 2N) with the fields 266-1 thru 266-5 because theobjective(s) in the FedRAMP High information security to which theinformation security control object #1 corresponds may require suchfields (e.g., the structure of the control object is derived from theFedRAMP High Information Security standard and the data or value (foreach of the fields) are based on a target information security artifact(e.g., the first information security artifact). Similarly, the fields226-1 thru 266-5 optionally include the (e.g., data) values describedabove (and illustrated in FIG. 2N) because the description of thecorresponding information security control (information security control#1) in the first information security artifact (SSP #1.docx) correspondsto these values. Stated differently, in one or more embodiments, thedata or value for each field (e.g., 266-1 thu 266-5) of a target controlmay be automatically and selectively extracted from the firstinformation security artifact and installed at a target location in atarget information security control object, via one or more computers ofthe information security service, as shown generally by way of examplein FIG. 2N.

That is, in the example illustrated in FIG. 2N, the information securitycontrol #1 optionally includes the field that corresponds to the label“Responsible Role” because the objective in the FedRAMP High informationsecurity with which the information security control object #1corresponds may require the “Responsible Role” to be defined. Similarly,the field 266-1 optionally includes the value “Information SecurityManagement Team” because the description of the information securitycontrol #1 relating to the “Responsible Role” in the first informationsecurity artifact (SSP #1.docx) corresponds to the “Information SecurityManagement Team.” The labels and (e.g., data) values of the fields 266-2thru 266-5 for the information security control #1 are optionallydetermined in analogous ways as described above.

It should be understood that if the representation 254-2 of theinformation security control object #2 was selected in FIG. 2M insteadof the representation 254-1 of the information security control object#1, the electronic device 200 (or the information security service)would optionally displays different fields and/or (e.g., data) valuesthan those illustrated in FIG. 2N (e.g., because the objective in theFedRAMP High information security standard to which information securitycontrol object #2 corresponds is different and/or because thedescription data in the first information security artifact (SSP#1.docx) corresponding to the information security control #2 isdifferent than the description corresponding to the information securitycontrol #1). In some embodiments, the values corresponding to the fields266-1 thru 266-5 follow the typographical emphasis/attention (e.g.,bolding, underlining, highlighting, font, size, capitalization, letterspacing, paragraph spacing, bullet points, order lists, etc.) includedin the corresponding description/content data at the first informationsecurity artifact (SSP #1.docx). For example, as illustrated in FIG. 2N,the value of the field 266-5 in FIG. 2N includes typographical attentionor emphasis, including one or more phrases that are bolded, underlined,highlighted, and/or bulleted. The value corresponding to the field 266-5optionally includes one or more phrases that are bolded, underlined,highlighted, and/or bulleted because these one or more phrases in thefirst information security artifact (SSP #1.docx) are similarly bolded,underlined, highlighted, and/or bulleted in the descriptioncorresponding to the “Implementation Details #1” for the informationsecurity control #1.

Additionally, as shown in FIG. 2N, the user interface 264 optionallyincludes the selectable option 268 that, when selected, causes theelectronic device 200 (or the information security service) to save theinformation security control object #1 to the information securityprogram, in the information security service, that corresponds to thefirst security artifact (SSP #1.docx). In some embodiments, a userinterface similar to user interface 264 is displayed when one of theitems 241-1 thru 241-328 displayed in FIG. 2CC is selected. In someembodiments, one or more information security control objects can besaved, in bulk, to the information security program, in the informationsecurity service, that corresponds to the first security artifact (SSP#1.docx). For example, in FIG. 2O, the electronic device 200 (or theinformation security service) has detected an input selecting theselectable option 256-1. In response to the electronic device 200 (orthe information security service) detecting the input selecting theselectable option 256-1, in FIG. 2P, the electronic device 200 (or theinformation security service) selects the representations 254-1 thru254-299 of the information security control objects #1-#299 (indicatedby the indications 256-1 thru 256-299). In other words, in one or moreembodiments, in response to saving one or more of the informationsecurity control objects or a subset of information security controlobjects, the information security control objects may be redesignatedfrom a pending, non-linked state to a saved, linked state.

Stated another way, in one or more embodiments, the cybersecurity datahandling and governance service may function to identify, by one or morecomputers of the cybersecurity data handling and governance service, acybersecurity artifact that includes a plurality of cybersecuritycontrols, wherein each cybersecurity control of the plurality ofcybersecurity controls includes cybersecurity control data. In suchembodiments, the cybersecurity data handling and governance service mayadditionally function to selectively instantiate, by the one or morecomputers of the cybersecurity data handling and governance service, asubscriber-agnostic cybersecurity data structure from a plurality ofsubscriber-agnostic cybersecurity data structures based on identifyingan artifact type (e.g., System Security Plan (SSP), etc.) of thecybersecurity artifact, wherein the subscriber-agnostic cybersecuritydata structure includes a plurality of distinct cybersecurity controldata foundation objects (e.g., a plurality of distinct cybersecuritycontrol data foundation objects without subscriber-specific data).Additionally, in such embodiments, the cybersecurity data handling andgovernance service may function to generate, a subscriber-specificcybersecurity data catalogue (e.g., information security program) basedon at least the cybersecurity artifact that may include computing, bythe one or computers of the cybersecurity data handling and governanceservice, a plurality of cybersecurity artifact metrics based on thecybersecurity control data associated with the cybersecurity artifact,including a first cybersecurity artifact metric of the plurality ofcybersecurity artifact metrics may indicate a quantity of controlsdetected in the cybersecurity artifact; a second cybersecurity-informedartifact metric of the plurality of cybersecurity artifact metrics thatmay indicate a quantity of absent controls not included in thecybersecurity artifact; a third cybersecurity-informed artifact metricof the plurality of cybersecurity artifact metrics that may indicate aquantity of control anomalies associated with the cybersecurityartifact; and a fourth cybersecurity-informed artifact metric of theplurality of cybersecurity artifact metrics that may indicate a quantityof validated controls associated with the cybersecurity artifact.Additionally, in such embodiments, the cybersecurity data handling andgovernance service may function to display, by the one or more computersof the cybersecurity data handling and governance service, acybersecurity artifact explainability user interface that visuallydisplays at least one selectable user interface element that correspondsto at least one of the plurality of cybersecurity-informed artifactmetrics and identify by the one or more computers of the cybersecuritydata handling and governance service, a subscriber selection of the atleast one selectable user interface element, and in response toidentifying the subscriber selection of the at least one selectable userinterface element, exposing cybersecurity metric data underpinning theat least one of the plurality of cybersecurity-informed artifactmetrics. Additionally, in such embodiments, the cybersecurity datahandling and governance service may function to selectively install, bythe one or more computers of the cybersecurity data handling andgovernance service, the cybersecurity metric data underpinning the atleast one of the plurality of cybersecurity-informed artifact metricsinto one or more of the plurality of distinct control data foundationobjects of the subscriber-agnostic cybersecurity data structure.

Additionally, as shown in FIG. 2P, while the representations 254-1 thru254-299 of the information security controls objects #1-#299 areselected, the electronic device 200 (or the information securityservice) receives an input selecting the selectable option 252(indicated by mouse 208 selecting the selectable option 252), and inresponse to receiving the input, the electronic device 200 (or theinformation security service) optionally saves and/or digitally mapsand/or digitally links the information security control objects #1-#299to the information security program, in the information securityservice, that correspond to the first security artifact (SSP #1.docx).In some embodiments, an indication/notification is optionally displayed,via the display generation component 202, when the information securitycontrol objects #1-#299 are successfully saved to the informationsecurity program, in the information security service, that correspondto the first security artifact (SSP #1.docx). While FIG. 2P illustratesan example of saving 299 information security control objects to theinformation security program, in the information security service, thatcorrespond to the first security artifact (SSP #1.docx), it should beunderstood that fewer information security control objects could besaved to the information security program, in the information securityservice, that correspond to the first security artifact (SSP #1.docx)(e.g., if fewer information security control objects would have beenselected in FIG. 2O).

In some embodiments, the electronic device 200 (or the informationsecurity service) detects a request to display one or more informationsecurity control (e.g., data) objects that have been created tocorrespond to the information security controls (e.g., informationsecurity control data) described in the first information securityartifact (SSP #1.docx) determined to have one or more anomalies, as willnow be described with respect to FIGS. 2Q-2U. In FIG. 2Q, the electronicdevice 200 (or the information security service) is displaying, in theuser interface 246, a list of links, including a first link 248 that isselectable to navigate back to the user interface 222-2 described withrespect to FIG. 2J and a second link 250 that is selectable to displayuser interface 246 (e.g., the user interface that the electronic device200 is currently displaying in FIG. 2Q). Additionally, in FIG. 2Q, theelectronic device 200 is detecting a selection of the first link 248,and in response, causes the electronic device 200 (or the informationsecurity service) to display the user interface 222-2 as illustrated inFIG. 2R (previously described with respect to FIG. 2J). It should beunderstood that in some embodiments, the user interface 246 does notinclude the above-described list of links (e.g., first link 248 and/orsecond link 250), and instead, provides the user with different means(or user interface elements) to navigate the user interfaces of theinformation security service.

In FIG. 2R, while the electronic device 200 (or the information securityservice) is displaying the user interface 222-2, the electronic device200 detects an input corresponding to a request to display theinformation security control objects that correspond to the informationsecurity controls described in the first information security artifact(SSP #1.docx) determined to have one or more anomalies.

In response to the electronic device 200 (or the information securityservice) detecting the input in FIG. 2R, the electronic device 200 (orthe information security service) optionally displays, via the displaygeneration component 202, the user interface 266 illustrated in FIG. 2S.As illustrated, in FIG. 2S, the user interface 266 optionally includes atable user interface element 262, which includes (e.g., control dataobject) representations 272-1 thru 272-28 of information securitycontrol objects #300- #328. The representations 272-1 thru 272-28 areoptionally being displayed in the table user interface element 262because the information security control objects that correspond to therepresentations 272-1 thru 272-28 (information security control objects#300-#328) were created, in the information security service, tocorrespond to the 29 information security controls described in thefirst information security artifact (SSP #1.docx) that were determinedto have one or more anomalies (e.g., such as the one or more of theanomalies described previously in FIG. 2J). In some embodiments, theinformation security control objects #300-#328 are saved to theinformation security program corresponding to the first informationsecurity artifact (SSP #1.docx) in one or more similar ways as describedin FIGS. 2N and/or FIG. 2P (e.g., after individually selecting one ormore of the representations 272-1 thru 272-28 and/or after selecting therepresentations 272-1 thru 272-28 via selectable option 268-1, selectingthe selectable option 268 to save the information security controlobjects corresponding to the selected representations to the informationsecurity program that corresponds to the first information securityartifact (SSP #1.docx)).

In some embodiments, the representations 272-1 thru 272-28 areselectable to display information for a corresponding informationsecurity control object. For example, in FIG. 2T, the electronic device200 (or the information security service) detects an input selecting therepresentation 272-1 corresponding to the information security controlobject #300 (which corresponds to the information security control #300data described in the first information security artifact (SSP#1.docx)). In response to the electronic device 200 (or the informationsecurity service) detecting the input selecting the representation 272-1in FIG. 2T, the electronic device 200 (or the information securityservice) optionally displays the user interface 278 illustrated in FIG.2U. In some embodiments, a user interface similar to user interface 278is displayed by the electronic device 200 if an item corresponding toinformation security control object #300 is selected in FIG. 2CC. Theuser interface 278 optionally includes a label (or control data header)273 that indicates the user interface 278 is displaying informationcorresponding to the information security control object #300 (e.g., theinformation security control object corresponding to the representation272-1 selected in FIG. 2T). Additionally, the user interface 278includes (e.g., control data) fields 280-290, which are optionally beingdisplayed in user interface 278 for similar reasons described aboveand/or with respect to FIG. 2N.

In some embodiments, the electronic device 200 (or the informationsecurity service) displays one or more (visual) indications indicatingthat one or more fields of the information security control object #300are associated with one or more anomalies. For example, the electronicdevice 200 (or the information security service) is emphasizing ordriving an attention of a target subscriber to the fields 282-288(indicated by the black border and the alert icons 213-1 thru 213-4 thatare being displayed in associated with the fields 282-288, respectively)and is not emphasizing field 280 because the electronic device 200 (orthe information security service) determined that thedescription/information data corresponding to the field 280 in the firstinformation security artifact (SSP #1.docx) was not associated with oneor more anomalies and that the description/information datacorresponding to the fields 282-286 in the first information securityartifact (SSP #1.docx) was associated with one or more anomalies (e.g.,the corresponding control data was anomalous in the first informationsecurity artifact and visually presented, by one or more computers, onthe user interface shown in FIG. 2U). The electronic device 200 (or theinformation security) is optionally determining that fields 282-286 areassociated with one or more anomalies for similar reasons described inFIG. 2J. In some embodiments, the alert icons 213-1 thru 213-4 areselectable to inform/guide the user of the electronic device 200 how toresolve the associated anomaly, thus optionally allowing the anomaliesassociated with an information security control object to be resolved(or remediated or mitigated) before that information security controlobject is added to an information security program in the informationsecurity service. In some embodiments, if the electronic device 200detected an input corresponding to a request to save the informationsecurity object #300 to the information security program correspondingto the first information security artifact (SSP #1.docx) (e.g., byselecting the selectable option 274) while the information securitycontrol object #300 was still associated with at least one anomaly, theelectronic device 200 would optionally display an indication thatincludes a first selectable option for continuing to save theinformation security control object #300 to the information securityprogram corresponding to the first information security artifact (SSP#1.docx) and a second selectable option for forgoing saving theinformation security control object #300 to the information securityprogram corresponding to the first information security artifact (SSP#1.docx). In some embodiments, if the information security controlobject #300 is saved to the information security program correspondingto the first information security artifact (SSP #1.docx) while theinformation security control object #300 is still associated with atleast one anomaly, the information security control object #300continues to not satisfy the requirements of the objective to which theinformation security control object #300 corresponds (e.g., even afterinformation security control object #300 is added to the informationsecurity program corresponding to the first information securityartifact (SSP #1.docx)) and thus, optionally not satisfyingevaluation-criteria defined by the FedRAMP High information securitystandard.

In some embodiments, the electronic device 200 (or the informationsecurity service) receives an input corresponding to a request todisplay the one or more objectives of an information security standard(and/or one or more information security controls) that were determinedto not be satisfied (or absent) by an information security artifacttransmitted to the information security service, such as the firstinformation security artifact (SSP #1.docx) described in FIGS. 2A-2E.For example, in FIG. 2V, while the electronic device 200 (or theinformation security service) is displaying the user interface 222-2,the electronic device (or the information security service) detects aninput selecting the indication 242 (indicated by mouse 208 selecting theindication 242). In response to the electronic device 200 detecting theinput selecting the indication 242 in FIG. 2W, the electronic device (orthe information security service) optionally displays the user interface294. As shown in FIG. 2W, the user interface 294 optionally includes atable user interface element 296 that includes items 295-1 thru 295-11corresponding to Objectives #1-#11 in the FedRAMP High informationsecurity standard, respectively. As described in more detail previously,the items 295-1 thru 295-11 corresponding to Objectives #1-#11 areoptionally being displayed in the table user interface element 296 inresponse to the electronic device 200 (or the information securityservice) determining that none (e.g., zero) of the information securitycontrols described in the first information security artifact (SSP#1.docx) correspond to Objectives #1-11 in the FedRAMP High informationsecurity standard (or another information security standard if theelectronic device 200 (or the information security service) detectedthat the first information security artifact (SSP #1.docx) correspondsto another information security standard) (e.g., if the electronicdevice 200 determined that the first information security artifact (SSP#1.docx) did not describe an information security control directed toObjective #1 in the FedRAMP High information security standard, thetable user interface 296 would optionally not include the item 295-1corresponding to Objective #1 in the FedRAMP High information securitystandard).

In some embodiments, the items 295-1 thru 295-11 are selectable tocreate or initiate a process to create, in the information securityservice, one or more corresponding information security control (e.g.,data) objects. For example, in FIG. 2W, the electronic device 200 (orthe information security service) is detecting an input selecting theitem 295-1 corresponding to Objective #1 in the FedRAMP High informationsecurity standard (indicated by mouse 208 selecting the item 295-1). Inresponse to the electronic device 200 (or the information securityservice) detecting the input in FIG. 2W, the electronic device 200 (orthe information security service) optionally displays the user interface293 in FIG. 2X. In some embodiments, a user interface similar to theuser interface 293 is displayed in response to selecting the selectableoption 225-1 in FIG. 2HH. In some embodiments, the user interface 293includes a description (e.g., objective structure, an objective shellstructure, a control shell structure or the like) of the Objective #1 inthe FedRAMP High information security standard (e.g., in accordance withthe description requirements of the AC-1 Objective described in FIG.2UU).

In some embodiments, the user interface 293 includes a label 289 forindicating that the information security control (e.g., data) objectbeing created at the user interface 293 is directed to Objective #1 inthe FedRAMP High information security standard. Additionally, in someembodiments, the user interface 293 includes one or more (e.g., data)fields that are required in order for the information security controlbeing created at the user interface 293 to satisfy Objective #1 in theFedRAMP High information security standard. For example, as illustratedin FIG. 2X, the user interface 293 includes fields 275-285. The field285 is optionally included in the user interface 293 in response to theelectronic device 200 (or the information security 200) servicedetermining that the Objective #1 in the FedRAMP High informationsecurity standard requires that the one or more information securitycontrols corresponding to the Objective #1 in the FedRAMP Highinformation security standard are required to include an entity (e.g.,person, team, company, etc.) responsible for managing the one or moreinformation security controls corresponding to the Objective #1 in theFedRAMP High information security standard.

The Objective #1 in the FedRAMP High information security standard isoptionally an objective that requires: “The organization provides basicsecurity awareness training to information system users (includingmanagers, senior executives, and contractors): a. As part of initialtraining for new users; b. When required by information system changes;and c. [Assignment: organization-defined frequency] thereafter.Accordingly, the field 283 (Parameter #1) is optionally included in theuser interface 293 in response to the electronic device 200 (or theinformation security service) determining that the Objective #1 requiresa parameter to be defined that indicates the frequency (e.g., every 3,6, 9, 12 months, etc.) in which security awareness training is providedto information system users (e.g., the users administering the system,service, product, and/or device that is attempting to be certified tothe FedRAMP High information security standard) (“The organizationprovides basic security awareness training to information system users(including managers, senior executives, and contractors . . .[Assignment: organization-defined frequency]”). In some embodiments, ifinput is directed to the field 283 that is not “time” based, theelectronic device 200 (or the information security service) may displayan alert/indication in association with the field 283 as described inFIG. 2U.

The fields 281 and 279 are optionally included in the user interface 293in response to the electronic device 200 (or the information security200) service determining that the Objective #1 in the FedRAMP Highinformation security standard requires that information securitycontrol(s) corresponding to the Objective #1 in the FedRAMP Highinformation security standard are required to include an implementationstatus and control origination status, respectively, as describedpreviously. Similarly, the fields 277 and 275 are optionally in the userinterface 293 in response to the electronic device 200 (or theinformation security service 200) determining that the Objective #1 inthe FedRAMP High information security standard requires an explanationas to how the information security control(s) corresponding to theObjective #1 in the FedRAMP High information security standard satisfypart (a) and part(b)—described above—of the Objective #1, respectively.In some embodiments, the electronic device 200 (or the informationsecurity service) receives a sequence of one or more (e.g., text) inputsdirected to the fields 275-279 for entering the required (e.g., data,subscriber-specific) information at the fields 275-285, and updates thefields 275-279 in accordance with the sequence of one or more inputs.After detecting the sequence of one or more inputs directed to thefields 275-279, the information security object corresponding toobjective #1 is optionally added to the information security programcorresponding to the first information security artifact (SSP #1.docx)when the electronic device 200 (or the information security service)detects a selection of selectable option 287.

Additionally, as shown in FIG. 2X, the electronic device 200 (or theinformation security service) is detecting an input selecting the firstlink 248, previously described, and in response, the electronic device200 (or the information security service) optionally displays the userinterface 222-2, as previously described and as illustrated in FIG. 2Y.In some embodiments, the electronic device 200 (or the informationsecurity service) displays, via the display generation component 202,one or more information security control objects that correspond to thedetected information security controls described in the firstinformation security artifact (SSP #1.docx). For example, in FIG. 2Y,the electronic device 200 (or the information security service) isdetecting an input directed to the indication 238 (indicated by mouse208 selecting the indication 238). In response to the electronic device200 detecting the input selecting the indication 238 in FIG. 2Y, theelectronic device 200 optionally displays the user interface 273. Theuser interface 273 optionally includes a table user interface element269 that includes items 261-1 thru 261-328 corresponding to theinformation security control objects #1-#328 (e.g., includes informationsecurity control objects that corresponds to the information securitycontrols described/identified in the first information security artifact(SSP #1.docx). In some embodiments, the items 261-1 thru 261-328 areselectable to save the corresponding information security controlobjects #1-#328 to the information security program corresponding to thefirst information security artifact (SSP #1.docx) in analogous waypreviously with respect to FIGS. 2J-2Z and/or as described above.Similarly, the items 261-1 thru 261-328 are optionally selectable todisplay information for a corresponding information security object inanalogous ways described in FIGS. 2J-2Z (e.g., if the electronic device200 (or the information security service) detects a selection item 261-1corresponding to the information security control object #1, theelectronic device 200 (or the information security service) optionallydisplays information associated with the information security controlobject #1 in one or more ways previously described in FIGS. 2J-2Z).

In some embodiments, after adding (e.g., saving) one or more informationsecurity control objects to the information security programcorresponding to the first information security artifact (SSP #1.docx)(or after determining that the first information security artifact (SSP#1.docx) corresponds to a particular information security standard), theelectronic device 200 (or the information security service) receives aninput to display one or more user interfaces associated with creating aninformation security program corresponding to the second informationsecurity artifact (SSP #2.docx) transmitted in FIGS. 2A-2E. For example,in FIG. 2Z, the electronic device 200 receives an input that may bedirected to the first link 248 (indicated by mouse 208 selecting thefirst link 248) after adding one or more of the information securitycontrol objects corresponding to items 261-1 thru 261-328 in one or moreways previously mentioned above. In FIG. 2AA, after the electronicdevice 200 received the input selecting the first link 248 in FIG. 2Zand while the information security program corresponding to the firstinformation security artifact (SSP #1.docx) includes one or moreinformation security objects associated with the one or more informationsecurity controls described in the first information security artifact(SSP #1.docx), the electronic device 200 (or the information securityservice) receives an input directed to selectable option 220-2.

In some embodiments, in response to the electronic device 200 (or theinformation security service) detecting the selection of the selectableoption 220-2, the electronic device 200 displays user interfacesassociated with creating an information security program correspondingto the next information security artifact that was transmitted to theinformation security service (e.g., if the electronic device 200 (or theinformation security service) received an input selecting the selectableoption 220-2 while the electronic device 200 (or the informationsecurity service) was displaying a user interface associated with thefirst information security artifact (SSP #1.docx), the electronic device200 (or the information security service) would optionally display auser interface associated with creating an information security programcorresponding to a second information security artifact (SSP #2.docx)that was transmitted to the information security service). Similarly, ifthe electronic device 200 received an input selecting the selectableoption 220-2 while the electronic device 200 was displaying a userinterface associated with the second information security artifact (SSP#2.docx), the electronic device 200 (or the information securityservice) would optionally display a user interface associated withcreating an information security program corresponding to a thirdinformation security artifact (SSP #3.docx) that was transmitted to theinformation security service). In some embodiments, the user interfacesdisplayed by the electronic device 200 for creating an informationsecurity program corresponding to the second information securityartifact (SSP #2.docx) or the third information security informationartifact (SSP #3.docx) are analogous to the user interfaces displayed bythe electronic device 200 in FIGS. 2F-2AA for creating the informationsecurity program corresponding to the first information securityartifact (SSP #1.docx).

In some embodiments, the electronic device 200 (or the informationsecurity service) displays a user interface that includes one or morerepresentations of one or more information security programs that arecurrently created (or may have been historically created) in theinformation security service. For example, in FIG. 2BB, the electronicdevice 200 (or the information security service) is displaying a userinterface 259 that optionally includes a first 255-1, second 255-2,third 255-3, fourth 255-4, fifth 255-5, and sixth 255-6 representationof a first, second, third, fourth, fifth, and sixth information securityprogram currently created in the information security service,respectively. As illustrated in FIG. 2BB, the first, second, third,fourth, fifth, and sixth information security programs optionallycorrespond to the first, second, third, fourth, fifth, and sixthinformation security artifacts (SSP #1.docx-SSP #6.docx) that weretransmitted to the information security service in FIGS. 2A-2D. Theinformation security programs corresponding to the representations 255-1thru 255-6 were optionally created in the information security servicein one or more ways previously described in FIGS. 2A-2AA.

The user interface 259 also optionally includes a seventh 255-7, eighth255-8, and ninth 255-9 representation of a seventh, eighth, and ninthinformation security program that are not created based on a transmittedinformation security artifact (e.g., the electronic device 200 (or theinformation security service) did not initiate a process to create theseventh, eighth, and ninth information security programs as a result ofone or more information security artifacts being transmitted to theinformation security service). In some embodiments, the electronicdevice 200 (or the information security service) automatically displaysthe user interface 259 after creating, in the information securityservice, one or more information security programs corresponding to thefirst information security artifact (SSP #1.docx) thru the sixthinformation security artifact (SSP #6.docx) as described in FIGS. 2A-2AAand/or in response to the electronic device 200 (or the informationsecurity service) receiving a sequence of one or more inputs fornavigating to the user interface 259. It should be understood that ifthe information security service includes more or fewer informationsecurity programs than as described and illustrated in FIG. 2BB, theuser interface 259 would optionally include more or fewerrepresentations of information security programs.

In some embodiments, the electronic device 200 (or the informationsecurity service) displays, in the user interface 259, therepresentation(s) of information security programs that correspond to atransmitted information security artifact (e.g., representations 255-1thru 255-6) differently (e.g., visually distinguished) from therepresentation(s) of information security programs that do notcorrespond to a transmitted information security artifact (e.g.,representations 255-7 thru 255-9). For example, the electronic device200 optionally displays the representations 255-1 thru 255-6 with afirst color, shape, texture, text, etc. and the representations 255-7thru 255-9 with a second color, shape, texture, text, etc. because, asdescribed above, the representations 255-1 thru 255-6 correspond toinformation security programs that were created based on the firstinformation security artifact (SSP #1.docx) thru the sixth informationsecurity information (SSP #6.docx), respectively, and therepresentations 255-7 thru 255-9 correspond to information securityprograms that were not created based on a transmitted informationsecurity artifact.

In some embodiments, as illustrated in FIG. 2BB, visually distinguishingthe representations of information security programs that were createdbased on an information security artifact from the representations ofinformation security programs that do not correspond to an informationsecurity artifact includes displaying, at the representations ofinformation security programs that were created based on an informationsecurity artifact, a (e.g., data) label indicating the informationsecurity artifact to which it corresponds, and forgoing displaying, atthe representations of information security programs that were notcreated based on an information security artifact, a (e.g., data) labelindicating the information security artifact to which it corresponds.

Additionally, or alternatively, in some embodiments, visuallydistinguishing the representations of information security programs thatwere created based on an information security artifact from therepresentations of information security programs that were not createdbased on an information security artifact includes displaying, at therepresentations of information security programs that were created basedon an information security artifact, a (e.g., digital) link (e.g.,hyperlink) that is selectable to access the information securityartifact to which it corresponds, and forgoing displaying, at therepresentations of information security programs that were not createdbased on an information security artifact, a (e.g., digital) link thatis selectable to access the information security artifact to which itcorresponds.

As described earlier, information security control (e.g., data) objectsof a respective information security program optionally include a (e.g.,data) field whose value corresponds (e.g., maps) to an entity (e.g.,data) object that is currently created in the information securityservice (e.g., such as the Information Security Control Object #1 inFIG. 2N having the field 266-1 with a label “Responsible Role” and a(e.g., data) value corresponding to the Information Security ManagementTeam, which is optionally an entity object currently created in theinformation security service). An entity object in the informationsecurity service optionally includes contact information (e.g., a phonenumber, email, etc.) for contacting the associated entity. For example,if an entity object corresponding to the Information Security ManagementTeam is currently created in the information security service, theentity object optionally includes information for contacting theInformation Security Management Team, such as a group email address,phone number, etc., and/or the individual names and email addresses forthe person(s) comprising the Information Security Management Team.

In some embodiments, the electronic device 200 (or the informationsecurity service) detects an input for requesting “auditable evidence”for one or more of the information security control objects included ina respective information security program created in the informationsecurity service (e.g., evidence which can be used to demonstrate,during an audit (e.g., internal audit and/or external audit) of asystem, product, service, and/or device to an information securitystandard, that the one or more information security control objects areoperating as intended). For example, if the above-mentioned inputincludes a request for “auditable evidence” associated with InformationSecurity Control Object #1 (described previously), then in response tothe electronic device 200 (or the information security service)receiving the above-mentioned input, the electronic device 200 (or theinformation security service) optionally transmits a (e.g., email, SMS,etc.) message to the one or more contacts included in the InformationSecurity Management Team entity object requesting that “auditableevidence” be uploaded to the Information Security Control Object #1 inthe information security service. One of ordinary skill in the art wouldunderstand the type of “auditable evidence” that would need to beuploaded to demonstrate, to an auditor, that the Information SecurityControl Object #1 is operating in a way that satisfies the objective(s)in an information security standard (e.g., the FedRAMP High informationsecurity standard) to which Information Security Control Object #1corresponds (as described previously).

Similarly, if the above-mentioned input includes a request for“auditable evidence” for two information security control objects,Information Security Control Object #1 and Information Security ControlObject #2 (described previously), then in response to the electronicdevice 200 receiving the above-mentioned input, the electronic device200 (or the information security service) optionally transmits a (e.g.,email, SMS, etc.) first message to the one or more contacts associatedwith the entity object corresponding to the Information Security ControlObject #1 (e.g., the Information Security Management Team entity object)requesting that “auditable evidence” be uploaded to the InformationSecurity Control Object #1 in the information security service, and asecond message, different from the first message, to the one or morecontacts associated with the entity object corresponding to theInformation Security Control Object #2 requesting that “auditableevidence” be uploaded to the Information Security Control Object #2 inthe information security service.

In some embodiments, a (e.g., email, SMS, etc.) message is nottransmitted to the entity objects corresponding to the InformationSecurity Control Object #1 and the Information Security Control Object#2 to collect “auditable evidence,” but rather the “auditable evidence”is automatically (e.g., continuously or periodically) collected from oneor systems associated with the subscriber that are implementing theinformation security control object (e.g., the same or similar evidencethat would have been uploaded to the information security controlobjects #1 and #2) if the one or more system(s) (e.g., AWS, GoogleCloud, Office 365, Okta, Autho, MongoDB, ADP, Workday, GitHub, Jamf,etc.) that are implementing the information security control objects #1and #2 are in communication (e.g., integrated) with the informationsecurity service. It shall be noted that the information securityservice may function to generate an auditable evidence findings reportassociated with a target information security program that may be usedto graphically illustrate whether auditable evidence has been submittedto each of the controls in the target information security program ornot.

In some embodiments, the representations 255-1 thru 255-9 are selectableto cause the electronic device 200 (or the information security service)to display an information security program overview user interfacecorresponding to the selected representation. For example, in FIG. 2BB,the electronic device 200 (or the information security service) receivesan input selecting the representation 255-1 of the first informationsecurity program in the information security service. In someembodiments, in response to the electronic device 200 (or theinformation security service) detecting the input selecting therepresentation 255-1 of the first information security program in theinformation security service, the electronic device 200 (or theinformation security service) optionally displays the program overviewuser interface 253 illustrated in FIG. 2CC.

The user interface elements optionally included in the user interface253 will now be described. The user interface 253 optionally includes alabel 251 that indicates the content being displayed in the userinterface 253 is associated with the first information security program(e.g., the information security program corresponding to therepresentation 255-1 in FIG. 2BB) and/or a description 249 of theinformation security standard(s) to which the first information securityprogram corresponds (e.g., a summary of the information securitystandard(s)). The user interface 253 also optionally includes a textinput (e.g., data) field 247 and a selectable option 237, which will bedescribed in detail later.

Additionally, the user interface 253 also optionally includes selectableoptions 245, 223, and 227-1. Selectable option 245, when selected,optionally causes the electronic device 200 (or the information securityservice) to display, in the user interface 253, a table 229-1 thatincludes one or more items corresponding to the one or more informationsecurity (e.g., data) objects that are included in the first informationsecurity program that may have been constructed via the informationsecurity service. As illustrated in FIG. 2CC, the table 229-1 includes aplurality of items (or objects) 241-1 thru 241-328 corresponding to theinformation security control objects #1-#328 (e.g., the one or moreinformation security control objects added to the information securityprogram corresponding to the first information security artifact (SSP#1.docx) in FIGS. 2A-2AA). Items 241-1 thru 241-328 are optionallyselectable, and when selected, cause the electronic device 200 (or theinformation security service) to display one or more fields of theinformation security control object corresponding to the selected item(e.g., in one or more analogous ways as described in FIGS. 2N, 2U, and2X). Furthermore, as shown in FIG. 2CC, the user interface 253optionally includes selectable options 223 and 277-1, which will bedescribed in detail later.

In some embodiments, the electronic device 200 (or the informationsecurity service) is configured to generate different types ofinformation security artifacts for a respective information securitystandard, including an information security artifact of a first type. Insome embodiments, the information security artifact of the first type isan information security artifact that is submitted to the regulatorybody of a respective information security standard (e.g., theauthoritative source of the respective information security standard)(or to an entity (e.g., auditor, assessment organization, etc.) actingon behalf of the regulatory body) and reviewed by the regulatory body(or the entity associated with the regulatory body) to initially (andperiodically thereafter) determine a system's, device's, service's,and/or product's compliance with the respective information securitystandard. Thus, in some embodiments, the information security artifactof the first type demonstrates, to the regulatory body or to the entityacting on behalf of the regulatory body, that the system's, device's,service's, and/or product's information security control(s) arecompliant with the (applicable) objectives of the respective informationsecurity standard, as will be described in more detail below. In someembodiments, the information security artifact of the first type is aninformation system security plan for a respective system, device,service, or product. In some embodiments, the first, second, third,fourth, fifth, and/or sixth information security artifacts (SSP#1.docx-SSP #6.docx) described in at least FIGS. 2A-2E are informationsecurity artifacts of the first type.

Exemplary ways in which the electronic device 200 (or the informationsecurity service) generates information security artifacts of the firsttype will now be described. In FIG. 2CC, the electronic device 200 isdisplaying, at the text data field 247, a token (or) tag 235 indicatingthat an information security artifact of the first type for the FedRAMPHigh information security standard will be generated in response to theelectronic device 200 detecting a selection of selectable option 237. Insome embodiments, the text field 247 includes the token/tag 235 becausethe electronic device 200 received the text input “FedRAMP High SSP”directed to the text field 247. In some embodiments, in response to theelectronic device 200 (or the information security service) detecting aselection of the selectable option 237, the electronic device 200 (orthe information security service) generates, via one or more computers,the information security artifact of the first type for the FedRAMP Highinformation security standard in accordance with evaluation-criteriadefined by the FedRAMP High information security standard (e.g., becausethe text field 247 included the token/tag 235 corresponding to theFedRAMP High information security standard when the electronic device200 (or the information security service) detected a selection of theselectable option 237). It shall be noted that, in one or moreembodiments, the information security artifact may be generated inaccordance with the evaluation-criteria defined by the FedRAMP Highinformation security standard and includes cybersecurity control dataspecific to the currently displayed information security program attarget locations (or regions) throughout the information securityartifact (e.g., the cybersecurity control data associated with thecurrently displayed information security program is installed at selectregions in the generated information security artifact).

In some embodiments, the electronic device 200 (or the informationsecurity service) generates the information security artifact of thefirst type for the FedRAMP High information security standard withcontent corresponding to one or more of the information security controlobjects included in the first information security program (e.g., theinformation security program that corresponds to the user interface253). For instance, in a non-limiting example, the information securityservice may function to source a foundational security artifact (e.g., asecurity artifact template or the like) that corresponds to a targetinformation security standard from a plurality of distinct foundationalsecurity artifacts digitally stored via an electronic cybersecurityrepository of the information security service, one or more internalAPIs and/or one or more external APIs, or the like using a template IDbased on the token/tag 235 and install subsets of data stored within theone or more information security control data objects of a targetinformation security program into the foundational security artifact,which, in some embodiments, may now be referred to herein as asubscriber-specific information security artifact.

For example, if the electronic device 200 determines that theinformation security control (data) object #1 (e.g., the informationsecurity control object corresponding to item 241-1 in FIG. 2CC)corresponds to (e.g., maps to) objective #1 in FedRAMP High informationsecurity standard (or another objective in the FedRAMP High informationsecurity standard) (e.g., an objective similar to the example objectivespreviously described), the electronic device 200 (or the informationsecurity service) optionally utilizes (e.g., installs, populates) one ormore (data) values of the one or more fields corresponding to theinformation security object #1 (e.g., fields similar to the onesdescribed in FIGS. 2N, 2U, and 2X) into the information securityartifact of the first type to document the required information of theobjective #1 (or the required information for another objective in theFedRAMP High information security standard).

That is, if the evaluation-criteria of the FedRAMP High informationsecurity standard requires that: (1) the entity responsible for managingthe information security control corresponding to the objective #1 inthe FedRAMP High information security standard be documented in theinformation security artifact of the first type, (2) one or moreparameter(s) of the objective #1 in the FedRAMP High informationsecurity standard are required to be documented in the informationsecurity artifact of the first type, (3) an implementation status of theinformation security control corresponding to the objective #1 in theFedRAMP High information security standard be documented in theinformation security artifact of the first type, (4) the entityresponsible for implementing the information security controlcorresponding to the objective #1 in the FedRAMP High informationsecurity standard be documented in the information security artifact ofthe first type, and/or (5) implementation details of the informationsecurity controls corresponding to the objective #1 in the FedRAMP Highinformation security standard are required be documented in theinformation security artifact of the first type, the electronic device200 (or the information security service) optionally utilizes (orinstalls or populates via one or more computers) the (data) value of theresponsible role field, the (data) values of the one or more parameterfields, the (data) value of the implementation status field, the (data)value of the control origination status field, and/or the (data) valuesof the one or more implementation detail fields included in theinformation security control object #1 (previously described in FIGS.2N, 2U, and 2X) of the target information security program,respectively, to generate/document (e.g., populate, install, or thelike) the information security artifact of the first type withinformation required by the objective #1 in the FedRAMP High informationsecurity standard (while optionally maintaining the typographicalemphasis (e.g., bolding, underlining, highlighting, font, size,capitalization, letter spacing, paragraph spacing, bullet points, orderlists, etc.) for the (data) values of the one or more fields of theinformation security control object #1 in the information securityartifact of the first type). The electronic device 200 (or theinformation security service) optionally generates/documents (e.g.,populates) the information security artifact of the first type withinformation/content that may be required by other objectives in theFedRAMP High information security standard in one or more similar waysas described above.

It shall be noted that to generate an information security artifact ofthe first type in accordance with a respective information securitystandard, no additional input other than selecting the selectable option237 is required (e.g., no input directed to a text editor/wordprocessing application is required, etc.) and is optionally generated inless than 0.1, 0.2, 0.3, 0.5, 1, or 2 seconds. Further, in someembodiments, after generating the information security artifact of thefirst type, the electronic device 200 optionally displays theinformation security artifact of the first type in a word pressingapplication and/or a document viewing application installed on theelectronic device 200. In other words, the information security artifactof the first type may be automatically or system-generated, by one ormore computers of the information security service.

In some embodiments, generating the information security artifact of thefirst type in accordance with evaluation-criteria of the FedRAMP Highinformation security standard not only requires including, in theinformation security artifact of the first type, the data or informationrequired by each objective in the FedRAMP High information securitystandard, but may also requires that the information required by eachobjective to be arranged in a particular manner or structure. Forexample, the evaluation-criteria of the FedRAMP High informationsecurity standard optionally requires for each respective objective inthe FedRAMP High information security standard that: (1) the value ofthe entity responsible for managing the information security controlcorresponding to a respective objective be provided in a first row of afirst table, (2) the one or more parameters of the respective objectivebe provided in one or more second rows of the first table, (3) theimplementation status of the respective objective be selected from oneor more selectable checkboxes corresponding to one or more predefinedvalues in a third row (e.g., implemented, partially implemented,planned, alternative implementation, not applicable, etc.), (4) thecontrol origination of the information security control corresponding tothe respective be selected from one or more checkboxes corresponding toone or more predefined values in a fourth row (e.g., service provider,customer, customer and service provider, etc.), and/or (5) theimplementation details for the information security control(s)corresponding to the respective objective be defined in a second table,separate and/or below the first table.

Accordingly, for the remaining parts of the disclosure, when aninformation security artifact of the first type is generated inaccordance with evaluation-criteria for a respective informationsecurity standard, it should be understood that the first informationsecurity artifact is optionally generated in accordance with the data(or information) required by each objective in that respectiveinformation security standard and/or in accordance with the requiredarrangement (e.g., format and/or structure), such that the regulatorybody of the respective information security standard (or the entityacting on behalf of the regulatory body) will accept and review theinformation security artifact of the first type. It should also beunderstood that the evaluation-criteria for other information securitystandards are optionally different than the evaluation-criteria of theFedRAMP High information security standard, and thus, informationsecurity artifacts generated by the electronic device 200 (or theinformation security service) of the first type optionally includedifferent content and/or are (e.g., structurally) arranged in differentmanners.

In some embodiments, before the electronic device 200 (or theinformation security service) generates the information securityartifact of the first type for the FedRAMP High information securitystandard, the electronic device 200 optionally receives a sequence ofone or more inputs for modifying/updating one or more (e.g., data)fields (e.g., as described in FIGS. 2N, 2U, and 2X) of one or moreinformation security control objects included in an information securityprogram from having one or more first data values to having one or moresecond data values. For example, after creating the first informationsecurity program in the information security service as described inFIGS. 2A-2AA and before generating the information security artifact ofthe first type for the FedRAMP High information security standard, theelectronic device 200 (or the information security service) optionallyreceives an input for modifying one or more (e.g., data) fields of oneor more information security control objects in the first informationsecurity program, including modifying a first field (e.g., field 266-1in FIG. 2N) of the information security control object #1 (correspondingto item 241-1) from having a first value (e.g., Information SecurityManagement Team) to having a second value (e.g., Executive LeadershipTeam) and modifying a second field of the information security controlobject #2 (corresponding to item 241-2) from having a third value (e.g.,an “implemented” implementation status) to having a fourth value (e.g.,a “not implemented” implementation status). While the above embodimentdescribes an example where the values of the first field of the firstinformation security control object #1 and the second field of thesecond formation security control object #2 were modified, it should beunderstood that any fields of a respective information security objectand/or that any combination of information security control objectscould optionally be modified before the electronic device 200 (or theinformation security service) generates an information security artifactof the first type. In some embodiments, the electronic device 200optionally displays an alert in analogous ways as described in FIG. 2Uif the one or more inputs cause the one or more fields of the firstinformation security control object #1 to be associated with one or moreanomalies, as described with respect to FIG. 2J.

In some embodiments, after updating the first (e.g., data) field of theinformation security control object #1 and the second (e.g., data) fieldof the information security control object #2 included in the firstinformation security program in accordance with the above-describedinput, the electronic device 200 (or the information security service)optionally determines that a previously generated information securityartifact (SSP #1.docx) with which the first information security programwas created based on no longer contains accurate/current information(e.g., because the first information security program includes changes(or data) not included in the previously generated information securityartifact (SSP #1.docx)). In response to the electronic device 200 (orthe information security service) determining that the first informationsecurity artifact (SSP #1.docx) no longer contains accurate/currentinformation, the electronic device 200 (or the information securityservice) optionally automatically generates (e.g., without user input) anew information security artifact of the first type for the FedRAMP Highinformation security standard (e.g., the information security standardcorresponding to the SSP #1.docx as determined in FIG. 2H) in accordancewith the evaluation-criteria defined by the FedRAMP High informationsecurity standard. In some embodiments, after generating the newinformation security artifact of the first type, the electronic device200 optionally displays the new information security artifact of thefirst type in a word pressing application and/or a document viewingapplication installed on the electronic device 200.

In some embodiments, the electronic device 200 (or the informationsecurity service) optionally generates one or more information securityartifacts for one or more information security standards (e.g., one ormore information security standards different from the informationsecurity standard corresponding to the information security artifactthat the information security program was created based on). Forexample, in FIG. 2DD, the text field 247 includes the token/tags 229,231, 233, and 235 indicating that the electronic device 200 (or theinformation security service) will generate the information securityartifacts of the first type for the SOC 2 information security standard,ISO 27001 information security standard, FedRAMP Low informationsecurity standard, and the FedRAMP High information security standard inresponse to the electronic device 200 detecting an input selecting theselectable option 237. In some embodiments, the text field 247optionally includes the token/tags 229, 231, 233, and 235 in response tothe electronic device 200 (or the information security service)optionally detecting a first text input directed to the text field 247that included “FedRAMP High SSP,” a second text input directed to thetext field 247 that included “FedRAMP Low SSP,” a third text inputdirected to the text field 247 that included “ISO 270001 SSP,” and afourth text input directed to the text field 247 that included “SOC 2SSP.”

In FIG. 2EE, while the text field 247 includes the token/tags 229-235,the electronic device 200 (or the information security service) detectsan input selecting the selectable option 237. In response to theelectronic device 200 receiving the input selecting the selectableoption 237, the electronic device 200 (or the information securityservice) optionally generates a first, second, third, and fourthinformation security artifact (e.g., distinct information securityartifacts) of the first type for the FedRAMP High information securitystandard, the FedRAMP Low information security standard, the ISO 27001information security standard, and the SOC 2 information securitystandard, respectively. It should be understood that if the text field247 would have included fewer, more, or different token/tags, theelectronic device 200 (or the information security service) wouldoptionally have generated fewer, more, or different information securityartifacts of the first type in accordance with the token/tags includedin the text field 247 when the electronic device 200 detected aselection of the selectable option 237. It shall be noted that in someembodiments, the text field 247 may include a plurality of tokens/tagsand in response to the electronic device (or the information securityservice) receiving an input selecting the selectable option 237, asingle (or composite) information security artifact may be generatedthat includes a corresponding security artifact for each of theplurality of token/tags.

Thus, as shown in FIGS. 2DD and 2EE, even though the first informationsecurity program (e.g., the information security program illustrated inthe user interface 253) was created based on the first informationsecurity artifact (SSP #1.docx), which corresponded to the FedRAMP Highinformation security standard, the electronic device 200 (or theinformation security service) is able to utilize the informationsecurity control objects and the corresponding control data included inthe first information security program (e.g., the values of the fieldsof the information security control objects, derive information securityobjects germane to other standards, or the like) to generate informationsecurity artifacts of the first type in accordance withevaluation-criteria of other information security standards (in additionto the FedRAMP High information security standard). That is, in one ormore embodiments, in response to detecting a selection of the artifactgeneration object 237, the information security service may function toautomatically (and optionally simultaneously) generate a plurality ofdistinct information security artifacts of a plurality of distinctinformation security standards by selectively installing appropriatesubsets of control data included in the information security programinto each of a plurality of plurality of foundational informationsecurity artifacts (e.g., templates) corresponding to each of theplurality of token/tags (as described in more detail in method 300). Itshall be noted that the information security service may function tosource, via one or more computers, each of the plurality of foundationalinformation security artifacts (e.g., templates) based onsearching/querying a foundational information security artifactrepository based on one or more target token/tags.

As mentioned previously, in some embodiments, the plurality ofinformation security control objects #1-#328 included in the firstinformation security program (corresponding to items 241-1 thru 241-328)optionally correspond to one or more objectives in the FedRAMP Highinformation security standard (e.g., information security control object#1 corresponds to objective #1, information security control object #2corresponds to objective #2 in the FedRAMP High information securitystandard, etc.). In some embodiments, when generating an informationsecurity artifact of the first type for an information security standardthat is different (or distinct) from the information security standardcorresponding to the information security artifact that an informationsecurity program was created based on, the electronic device 200 (or theinformation security service) derives or determines which objectives inthe FedRAMP High information security standard correspond (e.g., map) tothe objectives in the different information security standard and thus,which information security control objects and corresponding controldata to utilize (and not to utilize) when generating the informationsecurity artifact of the first type for the different informationsecurity standard. For example, if the information security controlobjects #1-#100 (associated with items 241-1 thru 241-100) correspond toobjectives #1-#100 in the FedRAMP High information security standard,the electronic device 200 (or the information security service)optionally automatically determines/derives that objectives #1-#100 inthe FedRAMP High information security standard correspond to objectives#50-#150 in the ISO 27001 information security standard, and thusutilizes one or more (e.g., data) values of the one or more fieldscorresponding to the information security objects #1-#100 (e.g., fieldssimilar to the ones described in FIGS. 2N, 2U, and 2X) to document(e.g., populate, generate or the like) the information security artifactof the first type with the required information for objectives #50-#150in the ISO 27001 information security standard. The required informationfor the remaining objectives in the ISO 27001 information securitystandard may optionally be added to the information security artifact ofthe first type in analogous ways described above.

Accordingly, the electronic device 200 (or the information securityservice) optionally utilizes different subsets of the plurality ofinformation security control objects included in the first informationsecurity program when generating information security artifacts of thefirst type for different information security standards (e.g., becausedifferent information security standards optionally include differentobjectives). It should be understood that if the electronic device 200was instead displaying a user interface for a second informationsecurity program, different from the first information security program,when the electronic device 200 detected the selection of the selectableoption 237, the electronic device 200 (or the information securityservice) would have instead generated the information security artifactof the first type using (e.g., based on) one or more of the plurality ofinformation security control objects included in the second informationsecurity program and not the first information security program.

In some embodiments, rather than the electronic device 200 (or theinformation security service) generating an information securityartifact of the first type in accordance with evaluation-criteria of arespective information security standard, the electronic device 200 (orthe information security service) is optionally able to generate theinformation security artifact of the first type in accordance withuser-defined criteria or subscriber-defined criteria (e.g., aninformation security artifact of the first type is generated inaccordance with an arrangement defined by a user of the electronicdevice 200 (or a subscriber of the information security service)). Forexample, the electronic device 200 (or the information security) mayreceive one or more instructions from the user of the electronic device200 (or the information security service) to generate an informationsecurity artifact of the first type in accordance withevaluation-criteria of the FedRAMP High information security (e.g.,arranging the information security artifact of the first type in asimilar way to the FedRAMP High information security standard) whiledocumenting (e.g., populating, generating or the like) the informationsecurity artifact of the first type with the information required forthe objectives in the ISO 270001 information security standard (e.g.,documenting/populating the information security artifact of the firsttype with content corresponding to the information security controlobjects in the first information security program that are determined tocorrespond to the objectives of the ISO 270001 information securitystandard). It should be understood that electronic device 200 (or theinformation security) could also generate information security artifactsof the first type in other user-defined or subscriber-defined wayswithout departing from the scope of disclosure. In some embodiments, aswill be described later, the electronic device 200 (or the informationsecurity service) optionally generates an information security artifactof a second type for an information security standard for reportingvulnerability data to a regulatory body of an information securitystandard.

In one or more embodiments, the subscribers to the information securityservice may be required or otherwise advantageous for the subscribingorganizations to prove to themselves or other that they employ practicesthat comply with one or more public standards or programs, such as,American Institutes of Certified Public Account's (AICPA's) ServiceOrganization Control 2 (SOC 2), the European Union's General DataProtection Regulation (GDPR), FedRAMP, or the like. Proving compliancewith such programs may be an expensive or onerous process that consumestime and resources that could better be used elsewhere. In many cases,programs define a set of requirements that each may be associated withone or more controls. Thus, at least one technical advantage of thesystem 100 implementing the method 200 may be to prove compliance (e.g.,generate compliance artifacts, information security artifacts, or thelike) by automatically collecting and/or fast-generating documentationthat indicates that the organization may be complying with the controlsor requirements of a given program.

In some embodiments, the electronic device 200 (or the informationsecurity service) optionally displays one or more notifications/alertsin response to receiving an input for generating one or more informationsecurity artifacts of the first type for one or more respectiveinformation security standards, as will now be described with respect toFIGS. 2FF-2II. In FIG. 2FF, the electronic device 200 optionallyreceives an input selecting the selectable option 237 while the textfield 247 includes the token/tag 235-1 corresponding to the NIST 800-53information security standard. In response to the electronic device 200(or the information security service) receiving the input selecting theselectable option 237, the electronic device 200 (or the informationsecurity service) optionally generates an information security artifactof the first type for the NIST 800-53 information security standardbased on the information security control objects included in the firstinformation security program that correspond to the objectives of theNIST 800-53 information security standard and in accordance withevaluation-criteria defined by the NIST 800-53 information securitystandard (e.g., in analogous ways as described above with respect togenerating an information security artifact of the first type for theFedRAMP High information security standard).

In some embodiments, before the electronic device 200 (or theinformation security service) generates the information securityartifact of the first type for the NIST 800-53 (or analogously to anyother information security standard previously described), theelectronic device 200 (or the information security service) optionallydetermines if the NIST 800-53 information security standard includes oneor more objectives that do not correspond to at least one informationsecurity control object included in the first information securityprogram. If the electronic device 200 (or the information securityservice) determines the NIST 800-53 information security standardincludes one or more objectives that do not correspond to at least oneinformation security control object in the first information securityprogram, the electronic device 200 (or the information securitystandard) optionally displays an indication indicating that one or moreof the objectives included in the NIST 800-53 information securitystandard do not include a corresponding information security controlobject in the first information security program. For example, in FIG.2GG, the electronic device 200 is displaying the indication 227indicating that 11 objectives (e.g., objectives #1-#11) in the NIST800-53 information security standard do not correspond to an informationsecurity control object in the first information security program. Insome embodiments, if one or more of the anomalies identified for one ormore information security control objects (previously described in FIGS.2J-2AA) were not corrected (e.g., via a sequence of one or more inputs)before the one or more information security objects were added to thefirst information security program, the indication 227 optionally,additionally, or alternatively, indicates the one or more anomalies thatare still associated with the one or more information security controlobjects (e.g., if the one or more information security control objectscorrespond (e.g., map) to one or more objectives in the NIST 800-53information security standard—the information security standard forwhich the information security artifact of the first type is beinggenerated).

In some embodiments, if the electronic device 200 (or the informationsecurity service) determines that each objective in the NIST 800-53information security standard corresponds to at least one informationsecurity control object included in the first information securityprogram, the electronic device 200 (or the information security service)generates the information security artifact of the first type for theNIST 800-53 information security standard without displaying theindication 227 illustrated in FIG. 2GG.

In some embodiments, if the electronic device 200 (or the informationsecurity service) determines that each objective (e.g., one or moreobjectives, all objectives, etc.) in the NIST 800-53 informationsecurity standard does not correspond to at least one informationsecurity control object included in the first information securityprogram, the electronic device 200 (or the information security service)optionally displays the indication 227 with a selectable option that isselectable to initiate a process to create an information securitycontrol object for each objective in the NIST 800-53 informationsecurity standard that does not currently correspond to an informationsecurity control object in the first information security program and tosave those created information security control objects to the firstinformation security program. Additionally, or alternatively, inresponse to the electronic device 200 (or the information securityservice) determining that the NIST 800-53 information security standarddoes not correspond to at least one information security control objectincluded in the first information security program, the electronicdevice 200 (or the information security service) optionally performs asecond determination to determine if another information securityprogram (e.g., a second information security program of the targetsubscriber) in the information security service includes informationsecurity control objects that correspond to the objectives in the NIST800-53 information security for which the first information securityprogram did not include a corresponding information security controlobject.

For example, in FIG. 2GG, after the electronic device 200 (or theinformation security service) determined that ii objectives (e.g.,objectives #1-#11) in the NIST 800-53 information security standard didnot correspond to any information security control objects in the firstinformation security program, the electronic device 200 (or theinformation security service) determined that the second informationsecurity program includes information security control objectscorresponding to the ii objectives (e.g., objectives #1-#11) in the NIST800-53 information security standard for which the first informationsecurity program did not include information security control objects.As a result of this determination, in some embodiments as illustrated inFIG. 2GG, the electronic device 200 (or the information securityservice) optionally displays, at the indication 227, informationindicating that the second information security program includesinformation security control objects corresponding to the 11 objectives(e.g., objectives #1-#11) in the NIST 800-53 information securitystandard for which the first information security program did notinclude corresponding information security control objects. If multipleinformation security programs include information security controlobjects that correspond to the ii objectives (e.g., objectives #1-#11)in the NIST 800-53 information security standard, the indication 227would optionally include information indicating that multipleinformation security programs include information security controlobjects corresponding to the ii objectives (e.g., objectives #1-#11) inthe NIST 800-53 information security standard for which the firstinformation security program did not include information securitycontrol objects (rather than only indicating information about a singleinformation security program as illustrated in FIG. 2GG).

Additionally, as shown in FIG. 2GG, while the indication 227 includesinformation indicating that the second information security programincludes information security control objects corresponding to the iiobjectives (e.g., objectives #1-#11) in the NIST 800-53 informationsecurity for which the first information security program did notinclude corresponding information security control objects, theindication also optionally includes selectable options 225-1 and 225-2.Selectable option 225-1, when selected, optionally causes the electronicdevice 200 (or the information security service) to generate theinformation security artifact of the first type for the NIST 800-53information security standard with content from the information securitycontrol objects included in the first information security program thatcorresponds to the objectives in the NIST 800-53 information security(except information security objectives #1-#11) and with content fromthe information security objects included in the second informationsecurity program that correspond to objectives #1-#11. In someembodiments, the indication 227 includes information indicating whichinformation security control objects in the second information securityprogram correspond to the 11 objectives (e.g., objectives #1-#11) in theNIST 800-53 information security for which the first informationsecurity program did not include corresponding information securitycontrol objects. Optionally, in one or more embodiments, based ongenerating the information security artifact that includes the eleven(11) information security control objects, the information securityservice may function to (e.g., simultaneously, subsequent) install,duplicate or the like the eleven (11) information security controlobjects into the first information security program.

Alternatively, selectable option 225-2, when selected, optionally causesthe electronic device 200 (or the information security service) togenerate the information security artifact of the first type for theNIST 800-53 information security standard with content from theinformation security control objects included in the first informationsecurity program that corresponds to the objectives in the NIST 800-53information security standard (except for objectives #1-#11 in the NIST800-53 information security standard) and without content from theinformation security objects included in the second information securityprogram that correspond to the objectives #1-#11—which optionally causesthe evaluation-criteria of the NIST 800-53 information security to notbe satisfied.

In some embodiments, if the electronic device 200 (or the informationsecurity service) determines that the second information securityprogram includes information security control objects that correspond toa portion (e.g., subset), but not all, of the 11 objectives (e.g.,objectives #1-#11) in the NIST 800-53 information security standard forwhich the first information security program did not includecorresponding information security control objects, the electronicdevice 200 (or the information security service) optionally performsanother determination to determine if another information securityprogram in the information security service includes informationsecurity control objects that corresponds to the remaining portion ofthe objectives in the NIST 800-53 information security standard forwhich the first and the second information security programs did notinclude corresponding information security control objects.

For example, as an alternative to FIG. 2GG, if the electronic device 200(or the information security service) would have instead determined thatthe second information security program includes information securitycontrol objects corresponding to 5 of the 11 objectives in the NIST800-53 information security standard for which the first informationsecurity program did not include corresponding information securitycontrol objects, the electronic device 200 (or the information securityservice) optionally would have optionally performed anotherdetermination to determine if any other information security program inthe information security service included information security controlobjects that correspond to the remaining 6 of the 11 objectives in theNIST 800-53 information security standard for which the first and thesecond information security programs did not include correspondinginformation security control objects.

In some embodiments, if the electronic device 200 (or the informationsecurity service) determined that a third information security programin the information security service includes the remaining 6 of the 11objectives in the NIST 800-53 information security standard for whichthe first and the second information security program did not includecorresponding information security control objects, the indication 227would optionally include information indicating that while the firstinformation security program does not include any information securitycontrol objects that correspond to 11 of the objectives required in theNIST 800-53 information security standard (e.g., objectives #1-#11), thesecond and the third information security program do include informationsecurity control objects corresponding to objectives #1-#5 andobjectives #6-#11, respectively.

In such embodiments, selectable option 225-1, when selected, optionallycauses the electronic device 200 (or the information security service)to generate the information security artifact of the first type for theNIST 800-53 information security standard with content from theinformation security control objects included in the first informationsecurity program for the objectives in the NIST 800-53 informationsecurity (except for the objectives #1-#11) and with content from theinformation security objects included in the second and the thirdinformation security program that correspond to the objectives #1-#11.Alternatively, selectable option 225-2, when selected, optionally causesthe electronic device 200 to generate the information security artifactof the first type for the NIST 800-53 information security standard withcontent the information security control objects included in the firstinformation security program that correspond to the objectives in theNIST 800-53 information security (except objectives #1-#11) and withoutcontent from the information security objects included in the second andthe third information security programs that correspond to objectives#1-#11—which optionally causes the evaluation-criteria of the NIST800-53 information security to not be satisfied.

In some embodiments, as generally illustrated in FIG. 2HH, if theelectronic device 200 (or the information security service) determinesthat none of the information security programs includes informationsecurity control objects corresponding to one or more of the objectivesin the NIST 800-53 information security standard, the electronic device200 (or the information security service) optionally displays theindication 227 with a selectable option (e.g., selectable option 225-1)for creating, in the first information security program, informationsecurity control objects for the one or more objectives in the NIST800-53 that do not currently correspond to any information securitycontrol objects included in any information security programs at theinformation security service. In some embodiments, the informationsecurity control objects are created in analogous ways as described inFIG. 2X.

In some embodiments, rather than updating one or more fields of one ormore information security control objects included in the firstinformation security program as described previously (e.g., in responseto receiving text input directed to one or more of the fieldsillustrated in FIGS. 2N, 2U, and 2X), the electronic device 200 (or theinformation security service) may update (e.g., initiate a process toupdate) the one or more (e.g., data) fields of the one or moreinformation security control objects in response to receiving an updatedversion of the first information security artifact, as will now bedescribed in FIGS. 2II-2OO. In FIG. 2II, the electronic device 200 (orthe information security service) is detecting a selection of theselectable option 223 (indicated by the mouse 208 selecting theselectable option 223). In some embodiments, in response to theelectronic device 202 receiving the input selecting the selectableoption 223, the electronic device 200 optionally displays, at the userinterface 253, a user interface element 215-1 and a selectable option217-1, which will now be described.

In some embodiments, the electronic device 200 optionally displays asimilar file browsing user interface 235-1 previously described in FIG.2C in response to the electronic device 200 (or the information securityservice) detecting an input selecting the selectable option 217-1. Forexample, in FIG. 2KK, the electronic device 200 (or the informationsecurity service) detects an input selecting the selectable option 217-1(indicated by mouse 208 selecting the selectable option 217-1). Inresponse to the electronic device 200 (or the information securityservice) detecting the input in FIG. 2KK, in FIG. 2LL, the electronicdevice 200 optionally displays the file browsing user interface 235-1previously described in FIG. 2C. Additionally, as shown in FIG. 2LL, theelectronic device 200 (or the information security service) is receivingan input selecting the selectable option 210-7 (indicated by mouse 208selecting the selectable option 210-7) while an updated version of thefirst information security artifact 212-1 (SSP #1.docx*) has beenselected in the file browsing user interface 235-1 (indicated bycheckmark 214-1). In response to the electronic device 200 receiving theinput selecting the selectable option 210-7 in FIG. 2LL, the electronicdevice 200 optionally transmits, to the information security service,the updated version of the information security artifact (SSP #1.docx*)to the information security service. For example, in FIG. 2MM, theinformation security service has received the updated version of theinformation security artifact (SSP #1.docx*) from the electronic device200 (indicated by the electronic device 200 displaying the document nameof the updated version of the first information security artifact—SSP#1.docx*—at the user interface element 215-1).

In some embodiments, the electronic device 200 (or the informationsecurity service) determines if the updated version of the firstinformation security artifact (SSP #1.docx*) includes one or morechanges to the one or more information security control objects (e.g.,the (e.g., data) fields of the one or more information security controlobjects) included in the first information security program. Theelectronic device 200 (or the information security service) optionallydetermines that the updated version of the first information securityartifact (SSP #1.docx*) includes one or more changes to a respectiveinformation security control object in the first information securityprogram if the current values of one or more fields of the respectiveinformation security control object in the information security serviceand the description corresponding to the one or more fields for therespective information security object in the updated version of thefirst information security artifact (SPP #1.docx*) are different, aswill be described in more detail in FIG. 2NN. In some embodiments, thedescription in the updated version of the first information securityartifact (SPP #1.docx*) corresponding to a respective field(s) ofrespective information security object is quarriable in similar ways aspreviously described with respect to the first information securityartifact.

In some embodiments, if the electronic device 200 (or the informationsecurity service) determines that the updated version of the firstinformation security artifact (SSP #1.docx*) includes one or morechanges directed to the one or more information security controlobjects, the electronic device 200 optionally displays one or more itemscorresponding to the one or more changes in the user interface 253. Forexample, in FIG. 2MM, after (e.g., in response to) the electronic device200 transmitting, to the information security service, the updatedversion of the first information security artifact (SSP #1.docx*), theelectronic device 200 determined that the updated version of the firstinformation security artifact (SSP #1.docx*) includes changes directedto five (5) of the information security control objects in the firstinformation security program. As a result of the electronic device 200(or the information security service) determining that the updatedversion of the first information security artifact (SSP #1.docx*)includes changes/modifications directed to 5 of the information securitycontrol objects in the first information security program, as shown inFIG. 2MM, the electronic device 200 optionally displays items 291-1 thru219-5 corresponding to the 5 changes (changes #1-#5, respectively). Itshould be understood that if the electronic device 200 (or theinformation security service) determined that the updated version of thefirst information security artifact (SSP #1.docx*) included more orfewer changes directed to the information security control objects inthe first information security program, the table 227-1 would includefewer or more items corresponding to the more or fewer changes.

In some embodiments, the electronic device 200 (or the informationsecurity service) displays information directed to the changes detectedin the updated version of the first information security artifact (SSP#1.docx*). For example, as additionally illustrated in FIG. 2MM, theelectronic device 200 is detecting a selection of item 219-5corresponding to change #5 (indicated by mouse 208 selecting item219-5). In response to the electronic device 200 detecting the selectionof item 219-5 in the table 227-1, the electronic device 200 optionallydisplays the user interface 231-1 for change #5.

The user interface 231-1 optionally includes a field 235-1 with a label“Control Name” and a value “Control #198” to indicate that change #5 isdirected to the information security control object #198 in the firstinformation security program.

The user interface 231-1 also includes the fields 237-1 thru 241-1. Theuser interface optionally includes the fields 237-1 thru 241-1 becausethe electronic device 200 (or the information security service)determined that the current values of the responsible role,implementation status, and implementation details #2 of the informationsecurity control object #198 (corresponding to fields 235-1 thru 241-1)are different than the description data corresponding to these fields inthe updated version of the first information security artifact (SSP#1.docx*). The information security object #198 optionally includes morefields than the ones illustrated in FIG. 2NN, but the user interface231-1 optionally does not include these fields because the values ofthese fields and the description corresponding to these fields in theupdated version of the first information security artifact (SSP#1.docx*) are the same.

In some embodiments, if the electronic device 200 (or the informationsecurity service) determines that one or more current values of one ormore fields of the information security control object #198 aredifferent than the description corresponding to these fields in theupdated version of the first information security artifact (SSP#1.docx*), the user interface 231-1 indicates, in the user interface231-1, the new values of the one or more fields if the changes (to theinformation security control object #198 (Change #5 illustrated in theuser interface 231-1) are accepted. For example, in FIG. 2NN, the field237-1 of the information security control object #198 (corresponding tothe label “Responsible Role”) is currently indicating that that ifChange #5 is accepted (e.g., by selecting the selectable option 233-1)the value of the field 237-1 will change from having a current value of“Information Security Director” (indicated with strikethrough) to a newvalue “Information Security Manager” (not indicated in strikethrough)because the description corresponding to field 237-1 because the updatedversion of the first information security artifact (SSP #1.docx*)corresponds to (e.g., has the text value) “Information SecurityManager”. Other ways of indicating the current value of a field and anew value of the field if a respective change is accepted includevisually de-emphasizing the current value of the field and visuallyemphasizing the new value of the field if a respective change isaccepted, such as with an animation and/or with other forms oftypographical emphasis. The fields 239-1 and 241-1 of the informationsecurity control object #198 illustrated in FIG. 2NN optionally have thecurrent values of those fields strikenthrough and the new values ofthose fields (e.g., if change #5 is accepted) not strikenthrough) foranalogous reasons described with respect to field 235-1. It should beunderstood that if the electronic device 200 would have instead detecteda selection of item 219-1 corresponding to change #1 instead of the item219-5 corresponding to change #5 in FIG. 2MM, the electronic device 200optionally would have displayed a user interface for change #1 in one ormore similar ways described above.

In some embodiments, the changes included in the updated version of thefirst information security artifact (SSP #1.docx*) are accepted in bulk(as opposed to individually accepting changes as described in FIG. 2NN).For example, in FIG. 2MM, if the electronic device 200 detects aselection of checkbox 225-1 (or an input individually selecting anycombination of checkboxes 225-2 thru 225-5) followed by a selection ofselectable option 223-1, the electronic device 200 (or the informationsecurity service) optionally updates, in bulk, the fields of theinformation security control objects in accordance with changes #1-5(e.g., updates the values of the fields for the information securitycontrol objects to which changes #1-5 correspond).

In some embodiments, in response to receiving a request to update/modifyone or more values of one or more fields of a respective informationsecurity control object in the first information security program, theelectronic device 200 (or the information security service) optionallydetermines if the respective information security control objectcorresponds (e.g., is similar) to one or more other information securitycontrol objects in one or more other distinct information securityprograms. In some embodiments, a first respective information securitycontrol object in a first information security program is optionallysimilar to a second respective information security control object in asecond program if the first and the second respective informationsecurity control objects correspond to a same objective in a respectiveinformation security standard, if the labels and values of the fields atthe first and the second respective information security controlsobjects are the same, etc. For example, after the electronic device 200received the input selecting the selectable option 233-1 forupdating/modifying the values of the fields 237-1 thru 241-1 inaccordance with change #5, the electronic device 200 (or the informationsecurity service) optionally determines that the information securitycontrol object #198 (e.g., the information security object correspondingto change #5 as indicated by field 235-1 in FIG. 2NN) is similar toinformation security control object #50 in a second information programin the information security service and information security controlobject #101 in a third information security program in the informationsecurity service for the one or more reasons described above.

In some embodiments, if the electronic device 200 (or the informationsecurity service) determines that the information security control #198(e.g., the information security object corresponding to change #5 asindicated by field 235-1 in FIG. 2NN) is similar to one or moreinformation security control objects in one or more other informationsecurity programs, the electronic device 200 (or the informationsecurity service) optionally displays an indication to indicate thatinformation security control #198 is similar to one or more informationsecurity objects in one or more other information security programs. Forexample, in FIG. 2OO, after (e.g., in response to) the electronic device200 (or the information security service) determined that informationsecurity control object #198 is similar to information security controlobject #50 in the second information program and information securitycontrol object #101 in the third information security program, theelectronic device 200 optionally displays indication 241-1. Theelectronic device 200 optionally updates the values of fields 237-1 thru239-1 illustrated in FIG. 2NN in accordance with change #5 withoutdisplaying the indication 241-1 if the electronic device 200 (or theinformation security service) determines that information securitycontrol object #198 is not similar to one or more information securitycontrol objects in one or more other information security programs.

As illustrated in FIG. 2OO, the indication 241-1 optionally includestext indicating the information security control objects to whichinformation security control object #198 is similar (e.g., “Control #198in Program 1 is similar to Control #50 in Program 2 and Control #101 inProgram 3”). Additionally, or alternatively, as illustrated in FIG. 2OO,the electronic device 200 optionally includes text prompting the user ofthe electronic device 200 (or the information security service) if theinformation security control object #50 in the second informationsecurity program and the information security control object #101 in thethird information security program should be updated in accordance withchange #5 described in FIG. 2NN and/or selectable options 225-1 and225-2. Selectable option 225-1 is optionally selectable, and whenselected, optionally causes the electronic device 200 (or theinformation security service) to update information security controlobjects #198, #50, and #101 in the first, second, and third informationsecurity programs, respectively, in accordance with change #5 describedin FIG. 2NN (e.g., updates the values of the fields in accordance withchange #5). Conversely, selectable option 225-2 is optionallyselectable, and when selected, optionally causes the electronic device200 (or the information security service) to update information securitycontrol object #198 of the first information security program inaccordance with change #5 described in FIG. 2NN (e.g., updated thevalues of the field in accordance with change #5) without updatinginformation security control objects #50 and #101 in accordance withchange #5 (e.g., the information security control objects that weredetermined to be similar to control object #198).

In some embodiments, the electronic device 200 (or the informationsecurity service) does not require all of the information securitycontrol objects that are similar to the information security object #198to be updated in accordance with change #5 in response to detecting aselection of selectable option 225-1. For example, if the electronicdevice 200 (or the information security service) determines thatinformation security control object #198 is similar to one or moreinformation security control objects in one or more other informationsecurity programs, the electronic device 200 is optionally able toreceive input before receiving the selection of selectable option 225-1to indicate which information security objects of the one or moreinformation security control objects to update in accordance with change#5 (and similarly which of the information security control objects ofthe multiple information security control objects that are not beupdated in accordance with change #5).

In some embodiments, before generating the information security artifactfor a respective information security standard, the electronic device200 (or the information security service) determines if the respectiveinformation security standard has been updated (e.g., via offlinechanges or the like) since the first information security program wascreated in the first information security service, since the last timethe electronic device 200 (or the information security service)generated an information security artifact for the respectiveinformation security standard, etc. For example, in FIG. 2PP, theelectronic device 200 has received an input for generating aninformation security artifact of the first type for the NIST 800-53information security standard (indicated by the mouse 208 selecting theselectable option 237 while the text field 247 includes the token/tag201 corresponding to the NIST 800-53 information security standard). Inresponse to the electronic device 200 receiving the input in FIG. 2PPand before generating the information security artifact of the firsttype for the NIST 800-53 information security standard, the electronicdevice 200 (or the information security service) optionally determinesif the NIST 800-53 information security standard includes one or moreupdates since the last time the electronic device 200 generated aninformation security artifact of the first type for the NIST 800-53 . Itshould be understood that if the input in FIG. 2PP included a request togenerate an information security artifact of the first type for adifferent information security standard in addition, or as analternative, to the NIST 800-53 , the electronic device 200 (or theinformation security service) optionally determines if the differentinformation security includes one or more updates in addition, or as analternative, to the NIST 800-53 .

For example, in FIG. 2QQ, after receiving the input in FIG. 2PP (andbefore generating the information security artifact of the first typefor the NIST 800-53 ), the electronic device 200 (or the informationsecurity service) has determined that the NIST 800-53 informationsecurity standard includes a new objective #175 and that objectives #45,#50, and #55 in the NIST 800-53 information security standard have beenupdated since the last time the electronic device 200 (or theinformation security service) generated an information security artifactof the first type for the NIST 800-53 information security standard. Insome embodiments, the new objective #175 in the NIST 800-53 informationsecurity standard has one or characteristics similar to the otherobjectives previously described above in one or more ways. In someembodiments, the updates to objective #45, #50, and/or #55 includeschanges to one or more parts of the objectives #45, #50, and/or #55(e.g., the part(s) of objectives #45, #50, #55 optionally have similarcharacteristics to the parts of other objectives previously described),changes to information required by objectives #45, #50, and/or #55, oneor more new parameters required by objectives #45, #50, and/or #55, etc.In other words, the NIST 800-53 information security standard may havepublished or implemented global changes to the evaluation-criteriadefined by the information security standard.

In some embodiments, in response to the electronic device 200 (or theinformation security service) determining that the NIST 800 includes oneor more (global) changes (including a new objective #175 and updates toobjectives #45, 50, and 55), the electronic device (or the informationsecurity service) optionally displays the indication 249 illustrated inFIG. 2QQ. As shown in FIG. 2QQ, the indication 249 optionally includesinformation about the determined changes to the NIST 800-53 informationsecurity standard. In some embodiments, information about the determinedchanges to the NIST 800-53 includes information describing whichobjectives in the NIST 800-53 information security standard and/orinformation describing (e.g., detailing) the changes to the objectiveswith which the changes are associated. It should be understood that ifthe electronic device 200 (or the information security service)determined that the NIST 800-53 information security standard includedmore, different, or fewer updates, the information displayed in theindication 249 would optionally indicate the more, different, or fewerupdates.

Additionally, as shown in FIG. 2GG, the indication 249 optionallyincludes selectable options 225-1 and 225-2. Selectable option 225-1,when selected, optionally causes the electronic device 200 (or theinformation security service) to displays one or more user interfacesfor updating the information security control objects that correspond tothe objectives with which the (global) changes are associated beforegenerating the information security artifact of the first type for theNIST 800-53 information security standard (e.g., user interfaces havingone or more characteristics similar to FIGS. 2N, 2U, and 2X).Conversely, selectable option 225-2, when selected, optionally causesthe electronic device 200 (or the information security service) togenerate the information security artifact of the first type for theNIST 800-53 information security standard without displaying the one ormore user interfaces for updating the information security controlobjects that correspond to the objectives with which the (global)changes are associated—which optionally causes the electronic device 200(or the information security service) to generate the informationsecurity artifact of the first type in a manner that does not satisfyevaluation-criteria of the NIST 800-53 information security standard.

In some embodiments, the user interface 253 for the first informationsecurity program includes a selectable option to display the one or moreinformation security standards to which the first information securityprogram corresponds. For example, in FIG. 2RR, while the user interfaceis displaying the items 241-1 thru 241-328 corresponding to theinformation security control objects #1-#328 included in the firstinformation security program, the electronic device 200 receives aninput selecting the selectable option 227-1 (indicated by mouse 208selecting the selectable option 227-1). In some embodiments, in responseto the electronic device receiving the input in FIG. 2RR, the electronicdevice 200 displays, in the user interface 253, items 229-1 thru 229-Ncorresponding to information security standards to which the firstinformation security program corresponds (e.g., FedRAMP High andinformation security standards #2-N). In some embodiments, as describedpreviously, the first information security program optionallycorresponds to the information security standards associated with items229-1 thru 229-N for one or more of the reasons described in FIG. 2G orFIG. 2I.

In some embodiments, items 229-1 thru 229-N are selectable and, whenselected, cause the electronic device (or the information securityservice) to display information corresponding to the one or moresections and/or the one or more objectives of the information securitystandard that corresponds to the selected item. For example, in FIG.2SS, the electronic device 200 (or the information security service) isreceiving an input selecting the item 229-1 corresponding to the FedRAMPHigh information security standard. In response to the electronic device(or the information security service) receiving the input selecting theitem 229-1 corresponding to the FedRAMP High Information SecurityStandard, the electronic device 200 (or the information securityservice) optionally displays the user interface 251-3 illustrated inFIG. 2TT. As shown in FIG. 2TT, the user interface 251-3 optionallyincludes the selectable options 251-1 and 251-2. In some embodiments,selectable option 251-1 is selectable and, when selected, causes theelectronic device (or the information security service) to display theone or more sections included in the FedRAMP High information securitystandard. For example, in FIG. 2TT, the selectable option 251-1 iscurrently selected (indicated by the electronic device 200 visuallyemphasizing the selectable option 251-1 and visually deemphasizing theselectable option 251-2). As a result of the selecting option 251-1being selected, the electronic device 200 is displaying, in the userinterface 251-3, one or more representations of the one or more sectionsincluded in the FedRAMP High information security standard, includingsections directed to Access Control (AC), Audit and Accountability (AA),Security Assessment and Authorization (SA), Confirmation Management(CM), Contingency Planning (CP), Identification and Authentication (IA),Incident Response (IR), Maintenance (MA), Media Protection (MP), andPhysical and Environmental Protection (PE). In some embodiments, the oneor more representations of the one or more sections included in theFedRAMP High information security standard are selectable, and whenselected, cause the electronic device 200 to display, in the userinterface 251-3, one or more representations of the one or moreobjectives of the FedRAMP High information security standard included inthe section that corresponds to the selected representation, which inturn, are optionally selectable to display a user interface for theobjective that corresponds to the selected representation (e.g., similarto user interface 251-4 in FIG. 2UU). The selectable option 251-2 isoptionally selectable, and when selected, causes the electronic device200 (or the information security service) to display, in the userinterface 251-3, one or more representations of the one or moreobjectives included in the FedRAMP High information security standard,which are optionally selectable to display a user interface for theobjective that corresponds to the selected representation (e.g., similarto user interface 251-4 in FIG. 2UU). It should be understood that ifthe electronic device 200 (or the information security service) detectedan input selecting the item 229-2 corresponding to the informationsecurity standard #2 in FIG. 2SS instead of the item 222-9, theelectronic device 200 (or the information security service) optionallywould have displayed a user interface that includes the one or morerepresentations of the sections and/or the one or more representationsof the objectives of the information security standard #2 instead of theFedRAMP High information security standard.

In FIG. 2UU, the electronic device 200 is displaying a user interface251-4 that includes information for Objective #1 in the Awareness andTraining section of the FedRAMP High information security standard(indicated by label 251-5). In some embodiments, the representation ofthe section in the FedRAMP High information security standard indicatedat label 251 is optionally selectable, and when selected, causes theelectronic device 200 to display all of the objectives (similar toobjective #1) included in the section corresponding to the selectedrepresentation. For example, if the electronic device 200 (or theinformation security service) detected a selection directed to the“Awareness and Training” text (which is optionally a link) at the label251-5, the electronic device 200 optionally displays one or morerepresentations of the one or more sections included in the Awarenessand Training section of the FedRAMP High information security standard.

In some embodiments, user interface 251-5 also includes a selectablelabel indicating which information security control object(s) in thefirst information security program correspond to Objective #1 in theFedRAMP High information security standard. For example, in FIG. 2UU,the user interface 251-4 includes a selectable label 251-6 with the text“Information Security Control Object #1, which indicates that theinformation security control object #1 in the first information securityprogram corresponds to the objective #1 in the FedRAMP High informationsecurity standard. In some embodiments, the electronic device 200detects a selection of the selectable label 251-6, and in response,displays a user interface that includes one or more fields of theinformation security control object #1 (e.g., a user interface similarto FIGS. 2N, 2U, and/or 2X).

Additionally, in some embodiments, the user interface 251-4 includes adescription of the Objective #1 in the FedRAMP High information securitystandard. For example, as shown in FIG. 2UU, the user interface 251-4includes the text “The organization provides basic security awarenesstraining to information system users (including managers, seniorexecutives, and contractors): a. As part of initial training for newusers; b. When required by information system changes; and c.[Assignment: organization-defined frequency] thereafter” (which wasdescribed previously with respect to FIG. 2J).

In some embodiments, the electronic device 200 (or the informationsecurity service) receives, from a vulnerability scanning service, avulnerability report that includes information (or vulnerability data)about one or more information security vulnerabilities identified on asystem, service, device, and/or product that is associated with thefirst information security program in the information security service(e.g., the information security controls implemented at the system,service, device, and/or product correspond to the information securitycontrol objects included in the first information security program). Inresponse to the electronic device 200 (or the information securityservice, receiving the vulnerability report from the vulnerabilityscanning service, the information security service optionally (e.g.,selectively) creates and (e.g., selectively) adds to the firstinformation security program one or more information securityvulnerability objects corresponding to the one or more informationsecurity vulnerabilities included in the vulnerability report. Forexample, the electronic device 200 (or the information security service)optionally creates a “RedHat curl local file overwrite” informationsecurity vulnerability object and information security vulnerabilityobjects #2-N in response to the electronic device 200 (or theinformation security service receiving a vulnerability report thatincludes a “RedHat curl local file overwrite” information securityvulnerability and information security vulnerabilities #2-N.

In some embodiments, the electronic device 200 (or the informationsecurity service) displays one or more representations of the one ormore information security vulnerability objects included in the firstinformation security program. For example, in FIG. 2VV, after (e.g., inresponse to) creating the above-mentioned information securityvulnerability objects, the electronic device 200 (or the informationsecurity service) may display, in the user interface 253, items 231-1thru 231-N corresponding to the “RedHat curl local file overwrite”information security vulnerability and information securityvulnerabilities #2-N, respectively. The “RedHat curl local fileoverwrite” information security vulnerability and information securityvulnerabilities #2-N may be arranged according to one or moreprioritization criterion (e.g., a severity level, vulnerability riskscore, date of the vulnerability etc.).

In some embodiments, items 231-1 thru 231-N are selectable to display ona user interface for the information security vulnerability object thatcorresponds to the selected item. For example, as also shown in FIG.2VV, the electronic device 200 is detecting a selection of item 231-1corresponding to the Red Hat curl local file overwrite informationsecurity vulnerability object. In response to the electronic device 200receiving the selection of item 231-1, the electronic device 200optionally expands item 231-1 to display information (as illustrated inFIG. 2WW) about the vulnerability object with which item 231-1 isassociated (“Red Hat curl local file overwrite”), including uniqueidentifier of the vulnerability object, name of the vulnerability, howthe vulnerability was discovered, description of the vulnerability,proposed solution to remediate the vulnerability, vulnerability riskscore, severity of the vulnerability, date the vulnerability was firstdiscovered, date the vulnerability was last observed, IP address of thesystem that includes the vulnerability, port of the system that includesthe vulnerability, and/or domain name of the system that includes thevulnerability. In some embodiments, the information about a respectivevulnerability object includes information (e.g., vulnerability data)included in the above-described vulnerability report and informationthat was determined by the electronic device 200 (or the informationsecurity service). It should be understood that if, in FIG. 2VV, theelectronic device 200 detected a selection of item 231-2 instead of231-1, the electronic device 200 would have optionally expanded item231-2 instead of 231-1.

In some embodiments, after adding a vulnerability object to a respectiveinformation security program, the electronic device 200 (or theinformation security service) determines if the vulnerability objectcorresponds to one or more information security control objects in thefirst information security program. For example, after adding the “RedHat curl local overwrite” vulnerability object (corresponding to item231-1 in FIG. 2WW) to the first information security program, theelectronic device 200 (or the information security service) optionallydetermines that the “Red Hat curl local overwrite” vulnerability objectis associated with the information security control object #1 in thefirst information security program (e.g., the information securitycontrol that was implemented at a system, service, product, and/ordevice to prevent such a vulnerability from occurring).

In some embodiments, before determining that the “Red Hat curl localoverwrite” vulnerability object is associated with the informationsecurity control object #1 in the first information security program,the electronic device 200 (or the information security service)optionally performed a determination to determine if other subscriberaccount(s) (e.g., other than Subscriber A) in the information securityservice include a vulnerability object corresponding to the “Red Hatcurl local file overwrite” vulnerability, and if so, with whichinformation security control object in that subscriber's account thevulnerability object is associated. For example, the electronic device200 (or the information security service) optionally determines that asecond, third, and/or fourth subscriber account in the informationsecurity service include a first, second, and third vulnerability objectdirected to the “Red Hat curl local overwrite” vulnerability,respectively, and that the first, second, and third vulnerabilityobjects are associated with a first, second, and third informationsecurity control object, respectively, that correspond to objective #1in the FedRAMP High information security standard. Thus, in response todetermining that the vulnerability objects corresponding to the “Red Hatcurl local file overwrite” vulnerability in other subscriber accountsare associated with information security control objects that correspondto objective #1 in the FedRAMP High information security standard, theelectronic device 200 (or the information security service) optionallydetermined that the “Red Hat curl local overwrite” vulnerability objectin the first information security program is associated with theinformation security object #1 in the first information security programbecause information security control object #1 corresponds to the sameobjective—objective #1 in the FedRAMP High information securitystandard.

Alternatively, or optionally, in some embodiments, if the electronicdevice 200 (or the information security service) determined that noother subscriber accounts include a vulnerability object directed to the“Red Hat curl local overwrite,” the electronic device 200 (or theinformation security service) optionally classifies, using one or moremachine learning models and/or one or more rules, the vulnerability(e.g., classify the vulnerability as a denial-of-service, exfiltration,malware, virus, or spyware vulnerability, etc.). For example, theelectronic device 200 (or the information security service, optionallyuses one or more machine learning models and/or one or more(vulnerability classification) rules, classifies that the “Red Hat curllocal overwrite” vulnerability is an exfiltration vulnerability, andthus determines that “Red Hat curl local overwrite” vulnerability objectis associated with the information security control object #1 becausethe information security control object #1 is responsible for preventingexfiltration vulnerabilities. In some embodiments, the electronic device200 (or the information security service) identifies that theinformation security control object #1 is directed to preventingexfiltration vulnerabilities because objective #1 in the FedRAMP Highinformation security is directed to preventing exfiltrationvulnerabilities. It should be understood that vulnerabilities #2-N(corresponding to items 231-2 thru 231-N) are optionally associated withother information security control objects in the first informationsecurity program and were determined to be associated with thoseinformation security control objects in analogous ways previouslydescribed above.

In some embodiments, the vulnerability objects (and the information orvulnerability data) included in the first information security programare used to generate an information security artifact of the second type(e.g., a vulnerability (data) report required by a respectiveinformation security standard) (e.g., different form the informationsecurity of the first type) in accordance with evaluation criteria of arespective information security standard. In some embodiments, thevulnerability objects (or vulnerability data) that may be included inthe information security artifact of the second time may be based on apredetermined period of time (e.g., vulnerabilities occurring in thepast month, vulnerabilities occurring the past year, etc.) For example,the electronic device 200 (or the information security service) mayoptionally generate the information security artifact of the second typein response to the electronic device 200 (or the information securityservice) detecting a selection of the selectable option 237 in FIG. 2MMwhile the text field 247 includes a token/tag, such as “Vulnerabilityreport for ISO 27001,” “Vulnerability report for FedRAMP,”“Vulnerability report for SOC 2,” etc. In some embodiments, theelectronic device 200 (or the information security service) concurrentlygenerates the information security artifact of the first type and thesecond type (e.g., for the same or different information securitystandards) in response to a single input if the text field 247 includessuch token/tags when the electronic device 200 (or the informationsecurity service) detects the selection of the selectable option 237 inFIG. 2MM. In some embodiments, a generated vulnerability report for aninformation security standard may include one or more pieces ofvulnerability data of the one or more vulnerability objects in the firstinformation security program, including, but not limited to, a uniqueidentification value of the vulnerability, a severity level of thevulnerability, a current remediation status of the vulnerability, and/orthe associated information security control objects mitigating thevulnerability (which may be obtained from the information stored, in theinformation security service, about the vulnerability object, asdescribed previously). It shall be noted that in one or more embodimentsof a vulnerability (data) report, the vulnerability (data) report mayinclude all information associated with a vulnerability object, or asubset of the information associated with a vulnerability object inanalogous ways as described above. Additionally, based on (or inresponse to) generating the information security artifact of the firsttype and/or the second type, the information security service (or theelectronic device 200) may (e.g., automatically) transmit (e.g., via oneor more APIs or other means accepted by the one or more regulatorybodies) the information security artifact of the first type and/or thesecond type to one or more regulatory bodies associated with thegenerated information security artifacts (e.g., in response to a userselecting a ‘submit’ user interface object (not shown)). Accordingly,based on the assessment entity receiving the first cybersecurityartifact, the assessment entity may initiate an evaluation (e.g.,technical cybersecurity control data evaluation and/or non-technicalevaluation) of one or more target cybersecurity artifacts. Similarly, ifthe information security service generated multiple information securityartifacts associated with multiple different information securitystandards, the information security service may automatically generatethe multiple different information security artifacts to multipledifferent assessment entities associated with the multiple differentinformation security standards (e.g., via a ‘submit’ user interfaceobject (not shown)).

In addition, in methods described herein where one or more steps arecontingent upon one or more conditions having been met, it should beunderstood that the described method can be repeated in multiplerepetitions so that over the course of the repetitions all of theconditions upon which steps in the method are contingent have been metin different repetitions of the method. For example, if a methodrequires performing a first step if a condition is satisfied, and asecond step if the condition is not satisfied, then a person of ordinaryskill would appreciate that the claimed steps are repeated until thecondition has been both satisfied and not satisfied, in no particularorder. Thus, a method described with one or more steps that arecontingent upon one or more conditions having been met could berewritten as a method that is repeated until each of the conditionsdescribed in the method has been met. This, however, is not required ofsystem or computer readable medium claims where the system or computerreadable medium contains instructions for performing the contingentoperations based on the satisfaction of the corresponding one or moreconditions and thus is capable of determining whether the contingencyhas or has not been satisfied without explicitly repeating steps of amethod until all of the conditions upon which steps in the method arecontingent have been met. A person having ordinary skill in the artwould also understand that, similar to a method with contingent steps, asystem or computer readable storage medium can repeat the steps of amethod as many times as are needed to ensure that all of the contingentsteps have been performed.

Embodiments of the system and/or method can include every combinationand permutation of the various system components and the various methodprocesses, wherein one or more instances of the method and/or processesdescribed herein can be performed asynchronously (e.g., sequentially),concurrently (e.g., in parallel), or in any other suitable order byand/or using one or more instances of the systems, elements, and/orentities described herein.

An exemplary method 300 will now be described below. It shall be notedthat the processes described below enhance the operability of aninformation security service and make the information security serviceuser interfaces more efficient (e.g., by helping the user/subscriber toprovide proper inputs and reducing user mistakes whenoperating/interacting with the information security service) throughvarious techniques, including by providing improved visual feedback tothe user, reducing the number of inputs needed to perform an operation,providing additional control options without cluttering the userinterface with additional displayed controls, performing an operationwhen a set of conditions has been met without requiring further userinput, improving privacy and/or security, and/or additional techniques.These techniques also reduce power usage and computational resources ofthe information security service by enabling the user to use theinformation security service more quickly and efficiently.

In some embodiment, the method 300 performs one or more of the processesdescribed below at a cybersecurity data handling and governance service.In some embodiments, the cybersecurity data handling and governanceservice displays, via a first user interface of the cybersecurity datahandling and governance service, a cybersecurity artifact generationobject. In some embodiments, while displaying the cybersecurity artifactgeneration object, the cybersecurity data handling and governanceservice receives a first input selecting the cybersecurity artifactgeneration object.

In some embodiments, in response to receiving the first input, inaccordance with a determination that the first input is directed togenerating a first cybersecurity artifact corresponding to a firstauthoritative information security standard, in accordance with adetermination that the first user interface is dedicated to displayinginformation directed to a first cybersecurity data catalogue, whereinthe first cyber security data catalogue includes a first set ofcybersecurity control data objects digitally mapped to the firstauthoritative information security standard, the cybersecurity datahandling and governance service generates the first cybersecurityartifact based on the first set of cybersecurity control data objects inaccordance with submittal-criteria defined by the first authoritativeinformation security standard. In some embodiments, in accordance with adetermination that the first user interface is dedicated to displayinginformation directed to a second cybersecurity data catalogue, differentfrom the first cybersecurity data catalogue, wherein the secondcybersecurity data catalogue includes a second set of cybersecuritycontrol data objects digitally mapped to the first authoritativeinformation security standard, the cybersecurity data handling andgovernance service generates the first cyber security artifact based onthe second set of cyber security control data objects in accordance withthe submittal-criteria defined by the first authoritative informationsecurity standard.

The above-described manner of generating two different cybersecurityartifacts enables the information security service (or the electronicdevice) to quickly and automatically generate different informationsecurity artifacts based on different cyber security data catalogues ofthe information security service. Thus, reducing the number of inputsrequired by a user to generate an information security artifact thatsatisfies respective submittal-criteria.

In some embodiments, the first user interface is dedicated to the firstcybersecurity data catalogue, and the first cybersecurity data catalogueincludes the first set of cybersecurity control data objects and a thirdset of cybersecurity control data objects. In some embodiments, inresponse to receiving the first input: in accordance with adetermination that the third set of cybersecurity control data objectsare digitally mapped to the first authoritative information securitystandard, the cybersecurity data handling and governance servicegenerates the first cybersecurity artifact based on the first set andthe third set of cybersecurity control data objects in accordance withthe submittal-criteria defined by the first authoritative informationsecurity standard; and in accordance with a determination that the thirdset of cybersecurity control data objects are not digitally mapped tothe first authoritative information security standard, the cybersecuritydata handling and governance service the first cybersecurity artifactbased on the first set of cybersecurity control data objects inaccordance with the submittal- criteria defined by the firstauthoritative information security standard without generating the firstcybersecurity artifact based on the third set of cybersecurity controldata objects.

The above described manner of only utilizing the cybersecurity controldata objects of a cybersecurity control data catalogue which aredigitally mapped to a target information security standard causes theinformation security service (or the electronic device) to generate aninformation security artifact that includes only required control data(e.g., and not erroneous control data).

In some embodiments, the first authoritative information securitystandard includes a first set of cybersecurity objectives and a secondset of cybersecurity objectives, and the first set of cybersecuritycontrol data objects are digitally mapped to distinct cybersecurityobjectives of the first set of cybersecurity objectives.

In some embodiments, in response to receiving the first input, thecybersecurity data handling and governance service determines that thefirst cybersecurity data catalogue does not include a cybersecuritycontrol data object digitally mapped to a respective cybersecurityobjective of the second set of cybersecurity objectives. In someembodiments, in response to determining that the first cybersecuritydata catalogue does not include a cybersecurity control data objectdigitally mapped to the respective cybersecurity objective of the secondset of cybersecurity objectives: in accordance with a determination thata third cybersecurity data catalogue, different from the firstcybersecurity data catalogue, includes a first cybersecurity controldata object that is digitally mapped to the respective cybersecurityobjective of the second set of cybersecurity objectives, thecybersecurity data handling and governance service generates the firstcybersecurity artifact based on the first set of cybersecurity controldata objects of the first cybersecurity data catalogue and the firstcybersecurity control data object of the third cybersecurity datacatalogue in accordance with the submittal-criteria defined by the firstauthoritative information security standard.

The above described manner of generating the information securityartifact with control data included in another cybersecurity datacatalogue causes the information security service (or the electronicdevice) to source necessary control data from other cybersecurity datacatalogues if the first cybersecurity data catalogue does not includeall the required data to generate an information security artifact.

In some embodiments, in response to determining that the firstcybersecurity data catalogue does not include the cybersecurity controldata object digitally mapped to the respective cybersecurity objectiveof the second set of cybersecurity objectives and before generating thefirst cybersecurity artifact, the cybersecurity data handling andgovernance service displays, overlaid on the first user interface, anindication indicating that the first cybersecurity data catalogue doesnot include a cybersecurity control data object digitally mapped to therespective cybersecurity objective of the second set of cybersecurityobjectives, wherein displaying the indication includes displaying afirst selectable option and a second selectable option. In someembodiments, while displaying the indication, the cybersecurity datahandling and governance service receives a second input. In someembodiments, in response to receiving the second input: in accordancewith a determination that the second input is directed to the firstselectable option, the cybersecurity data handling and governanceservice generates the first cybersecurity artifact based on the firstset of cybersecurity control data objects of the first cybersecuritydata catalogue and the first cybersecurity control data object of thethird cybersecurity data catalogue in accordance with thesubmittal-criteria defined by the first authoritative informationsecurity standard. In some embodiments, in accordance with adetermination that the second input is directed to the second selectableoption, the cybersecurity data handling and governance service generatesthe first cybersecurity artifact based on the first set of cybersecuritycontrol data objects of the first cybersecurity data catalogue and notbased on the first cybersecurity control data object of the thirdcybersecurity data catalogue, wherein generating the first cybersecurityartifact based on the first set of cybersecurity control data objects ofthe first cybersecurity data catalogue and not based on the firstcybersecurity control data object of the third cybersecurity datacatalogue that only partially satisfies the submittal-criteria definedby the first authoritative information security standard.

The above described manner of displaying the second user interfaceoverlaid on the first user interface provides an efficient way ofindicating when a cybersecurity data catalogue does not include all ofthe required control data to generate a target information securityartifact and an efficient way to identify user preferences in generatingthe target information security artifact in such situations.

In some embodiments, in response to determining that the firstcybersecurity data catalogue does not include the cybersecurity controldata object digitally mapped to the respective cybersecurity objectiveof the second set of cybersecurity objectives: in accordance with adetermination that the cybersecurity data handling and governanceservice does not include one of a plurality of distinct cybersecuritydata catalogues that includes a cybersecurity control data objectdigitally mapped to the respective cybersecurity objective of the secondset of cybersecurity objectives, the cybersecurity data handling andgovernance service displays, overlaid on the first user interface, anindication that includes a selectable option that, when selected,initiates a process to create, in the first cybersecurity datacatalogue, the cybersecurity control data object corresponding to therespective cybersecurity objective.

The above described manner of displaying a selectable option to create amissing (required) cybersecurity control data object required forcreating a target information security artifact reduces the number ofinputs needed to add missing control data to a target cybersecurity datacatalogue.

In some embodiments, each cybersecurity control data object of the firstset of cybersecurity control data objects is digitally mapped to acorresponding cybersecurity objective defined by the first authoritativeinformation security standard. In some embodiments, the eachcybersecurity control data object of the first set of cybersecuritycontrol data objects include one or more first respective cybersecurityattributes that map to cybersecurity control information requirements ofthe corresponding cybersecurity objective. In some embodiments, the eachcybersecurity control data object of the first set of cybersecuritycontrol data objects comprise one or more second respectivecybersecurity attributes that do not map to the cybersecurity controlinformation requirements of the corresponding cybersecurity objective.The above described properties of a cybersecurity control data objectprovides an efficient way for extracting information that is relevant togenerating a target information security artifact without extractingerroneous/unnecessary information.

In some embodiments, generating the first cybersecurity artifact basedon the first set of cybersecurity control data objects includes:instantiating, by one or more computers of the cybersecurity datahandling and governance service, a foundational cybersecurity artifactthat is structurally compliant with the submittal-criteria of the firstcybersecurity artifact to the first authoritative information securitystandard, extracting one or more attribute values of the one or morefirst respective cybersecurity attributes defined in each cybersecuritycontrol data object of the first set of cybersecurity control dataobjects, and installing, by the one or more computers of thecybersecurity data handling and governance service, the one or moreattribute values extracted from the one or more first respectivecybersecurity attributes defined in each cybersecurity control dataobject of the first set of cybersecurity control data objects into oneor more corresponding portions of the foundational cybersecurityartifact.

The above described manner of obtaining a structurally compliant,foundational security artifact in response to receiving theabove-described first input and installing relevant information into thefoundational security artifact provides an efficient way for generatingan information security artifact that satisfies associated submittalcriteria with minimal user input.

In some embodiments, the first set of cybersecurity control data objectsincludes a first cybersecurity control data object, (2) the one or morefirst respective cybersecurity attributes defined in the firstcybersecurity control data object includes a cybersecurity attributethat has a first value, and (3) generating the first cybersecurityartifact includes installing, by one or more computers of thecybersecurity data handling and governance service, the first value ofthe first cybersecurity attribute at a corresponding portion in thefirst cybersecurity artifact.

In some embodiments, after generating the first cybersecurity artifactbased on the first set of cybersecurity control data objects, thecybersecurity data handling and governance service receives a secondinput corresponding to a request to modify the first cybersecurityattribute from having the first value to having a second value,different form the first value; and after modifying the firstcybersecurity attribute in accordance with the second input, thecybersecurity data handling and governance service generates, by the oneor more computers of the cybersecurity data handling and governanceservice, an updated cybersecurity artifact based on the first set ofcybersecurity control data objects in accordance with thesubmittal-criteria defined by the first authoritative informationsecurity standard, wherein generating the updated cybersecurity artifactincludes installing, by the one or more computers of the cybersecuritydata handling and governance service, the second value of the firstcybersecurity attribute at the corresponding portion in the updatedcybersecurity artifact.

The above described manner of installing data related to a most recentlyupdated cybersecurity control data provides an efficient way ofgenerating a target cybersecurity artifact based on updates mostrecently made by the subscriber, especially when the cybersecurityservice includes multiple control data objects mapped to a same (orequivalent) cybersecurity object.

In some embodiments, the cybersecurity data handling and governanceservice receives the second input while a second user interface of thecybersecurity data handling governance service is being overlaid on thefirst user interface. The above describer manner of receiving the secondinput while the second user interface is being overlaid on the firstuser interface provides feedback about a state of the informationsecurity service.

In some embodiments, the first user interface of the cybersecurity datahandling governance service is dedicated to displaying informationdirected to the first cybersecurity data catalogue, and (2) displayingthe first user interface includes displaying the cybersecurity artifactgeneration object concurrently with one or more selectablerepresentations corresponding to one or more cybersecurity control dataobjects defined in the first set of cybersecurity control data objects,including a first representation of a first cybersecurity control dataobject defined in the first set of cybersecurity control data objects.

In some embodiments, the cybersecurity data handling and governanceservice receives a second input selecting the first representation. Insome embodiments, in response to receiving the second input, thecybersecurity data handling and governance service displays, via asecond user interface of the cybersecurity data handling governanceservice, the one or more first respective cybersecurity attributes andthe one or more second respective cybersecurity attributes thatcorrespond to the first cybersecurity control data object.

The above described manner of displaying representations ofcybersecurity control data objects concurrently with the cybersecurityartifact generation object provides an efficient way of displayingand/or arranging relevant information related to the cybersecurity datacatalogue on a same user interface.

In some embodiments, (1) the first set of cybersecurity control dataobjects includes a first cybersecurity control data object, (2) the oneor more first respective cybersecurity attributes defined in the firstcybersecurity control data object includes a first cybersecurityattribute that has a first value, and (3) generating the firstcybersecurity artifact includes installing, by one or more computers ofthe cybersecurity data handling and governance service, the first valueof the first cybersecurity attribute at a corresponding portion in thefirst cybersecurity artifact. In some embodiments, after generating thefirst cybersecurity artifact and while a third cybersecurity datacatalogue, different from the first cybersecurity data catalogue, in thecybersecurity data handling and governance service includes a respectivecybersecurity control data object that has a plurality of cybersecurityattributes, including a respective cybersecurity attribute that has afirst value, receiving a second input corresponding to a request tomodify the respective cybersecurity attribute from having the firstvalue to having a second value, different from the first value; andafter modifying the respective cybersecurity attribute in accordancewith the second input, the cybersecurity data handling and governanceservice generates an updated cybersecurity artifact based on the firstset of cybersecurity controls in accordance with the submittal-criteriadefined by the first authoritative information security standard,wherein generating the updated cybersecurity artifact includes: inaccordance with a determination that the first cybersecurity controldata object of the first cybersecurity data catalogue and the respectivecybersecurity control data object of the third cybersecurity datacatalogue correspond to a same cybersecurity objective defined in thefirst authoritative information security standard, installing the secondvalue at the corresponding portion in the updated cybersecurityartifact; and in accordance with a determination that the firstcybersecurity control data object of the first cybersecurity datacatalogue and the respective cybersecurity control data object of thethird cybersecurity data catalogue do not correspond to a samecybersecurity objective defined in the first authoritative informationsecurity standard, installing the first value at the correspondingportion in the updated cybersecurity artifact.

The above described manner of generating a new/updated cybersecurityartifact based on updates performed by a subscriber provides anefficient way to generate information security artifacts based on recentchanges to the cybersecurity control data with minimal user input.

In some embodiments, in response to receiving the first input, inaccordance with a determination that the first input is directed togenerating the first cybersecurity artifact corresponding to the firstauthoritative information security standard, in accordance with adetermination that the first user interface is dedicated to displayinginformation directed to a third cybersecurity data catalogue, differentfrom the first and the second cybersecurity data catalogue, wherein thethird cybersecurity data catalogue includes a third set of cybersecuritycontrol data objects that are digitally mapped to a second authoritativeinformation security standard, different from the first authoritativeinformation security standard: the cybersecurity data handling andgovernance service digitally maps the third set of cybersecurity controldata objects from the second authoritative information security standardto the first authoritative information security standard; and thecybersecurity data handling and governance service generates the firstcybersecurity artifact based on the third set of cyber security controldata objects in accordance with the submittal-criteria defined by thefirst authoritative information security standard.

In some embodiments, the first user interface is dedicated to displayinginformation directed to the first cybersecurity data catalogue. In someembodiments, before displaying the first user interface, thecybersecurity data handling and governance service displays a seconduser interface of the cybersecurity data handling and governance servicethat includes a first representation that is selectable to display thefirst user interface and a second representation that is selectable todisplay a third user interface dedicated to the second cybersecuritydata catalogue, wherein displaying the second user interface includes:in accordance with a determination that a majority of the firstcybersecurity data catalogue was created based on an uploadedcybersecurity artifact that satisfies submittal-criteria defined by arespective information security standard, displaying the firstrepresentation with a first visual characteristic; and in accordancewith a determination that a majority of the first cybersecurity datacatalogue was not created based on an uploaded cybersecurity artifact,displaying the first representation with a second visual characteristic,different from the first visual characteristic.

The above described manner of displaying different cybersecurity datacatalogues based on whether it was created based on an uploadedcybersecurity artifact (e.g., creation origination) provides anefficient way to differentiate different types cybersecurity datacatalogues to the subscriber.

In some embodiments, first user interface is dedicated to the firstcybersecurity data catalogue, and the first input is directed togenerating the first cybersecurity artifact corresponding to the firstauthoritative information security standard and a second cybersecurityartifact corresponding to a second authoritative information securitystandard, different from the first authoritative information securitystandard. In some embodiments, in response to receiving the first input,the cybersecurity data handling and governance service generates thefirst cybersecurity artifact based on the first set of cybersecuritycontrol data objects in accordance with the submittal-criteria definedby the first authoritative information security standard; and generatesthe second cybersecurity artifact based on a third set of cybersecuritycontrol data objects included in the first cybersecurity data cataloguein accordance with submittal-criteria defined by the secondauthoritative information security standard.

The above described manner of generating multiple information securityartifacts provides an efficient way of simultaneously generatingmultiple distinct security artifacts in response to or based on a single(e.g., user) input.

In some embodiments, in response to receiving the first input and beforegenerating the first cybersecurity artifact: in accordance with adetermination that the first authoritative information security standardincludes one or more updates or one or more modifications tosubmittal-criteria of the first authoritative information securitystandard, the cybersecurity data handling and governance servicedisplays, on the first user interface, an indication indicating thatchanges, to the first cybersecurity data catalogue, are required inorder to generate the first cybersecurity artifact in accordance withthe submittal-criteria defined by the first authoritative informationsecurity standard. The above described manner of displaying the firstuser interface provides an efficient way to indicate, to a subscriber,changes to a target information security standard.

In some embodiments, before displaying the first user interface andwhile the cybersecurity data handling and governance service does notinclude the first cybersecurity data catalogue, the cybersecurity datahandling and governance service receives a second input corresponding toa request to upload, to the cybersecurity data handling and governanceservice, a third cybersecurity artifact that satisfies transmittalcriteria of a respective authoritative information security standard. Insome embodiments, in response to receiving the second input: thecybersecurity data handling and governance service creates the firstcybersecurity data catalogue; and creates, in the first cybersecuritydata catalogue, one or more cybersecurity control data objects thatcorrespond to one or more cybersecurity controls described in the thirdcybersecurity artifact. The above described manner of creating the firstcybersecurity data catalogue and associated control data objects basedon an uploaded artifact reduces the number of inputs required to createcybersecurity catalogues.

In some embodiments, the second input includes a second request toupload, to the cybersecurity data handling and governance service, afourth cybersecurity artifact that satisfies transmittal criteria of asecond respective authoritative information security standard. In someembodiments, in response to receiving the second input: thecybersecurity data handling and governance service concurrently createsthe first cybersecurity data catalogue and the second cybersecurity datacatalogue. The above described manner of creating the first and thesecond cybersecurity data catalogue concurrently and associated controldata objects reduces the number of inputs required to create a pluralityof cybersecurity catalogues.

In some embodiments, creating the first cybersecurity data catalogueincludes: in accordance with a determination that the respectiveauthoritative information security standard is the first authoritativeinformation security standard: creating one or more cybersecurityobjective data objects corresponding to one or more cybersecurityobjectives defined in the first authoritative information securitystandard; and digitally mapping the one or more cybersecurity controldata objects to the one or more cybersecurity objective data objects;and in accordance with a determination that the respective authoritativeinformation security standard is a third authoritative informationsecurity standard: creating one or more cybersecurity objective dataobjects corresponding to one or more cybersecurity objectives defined inthe third authoritative information security standard; and digitallymapping the one or more cybersecurity control data objects to the one ormore cybersecurity objective data objects.

In some embodiments, the one or more cybersecurity objective dataobjects includes a first cybersecurity objective data object thatcorresponds to a first cybersecurity objective of the firstauthoritative information security standard, and wherein the firstcybersecurity objective data object is digitally mapped to a firstcybersecurity control data object of the one or more cybersecuritycontrol data objects. In some embodiments, after creating the firstcybersecurity data catalogue, the cybersecurity data handling andgovernance service receives a third input selecting the firstcybersecurity objective data object; and in response to receiving thethird input: the cybersecurity data handling and governance servicedisplays information corresponding to the first cybersecurity objectiveof the first authoritative information security standard; and displaysan indication indicating that the first cybersecurity objective isdigitally mapped to the first cybersecurity control data object.

In some embodiments, after generating the first cybersecurity artifact,the cybersecurity data handling and governance service electronically(e.g., and automatically) transmits the first cybersecurity artifact toan assessment entity verified by the first authoritative informationsecurity standard. The above described manner of electronicallytransmitting the generated information security artifact provides anefficient way for a subscriber or user to submit the artifacts generatedby the information security service for review, reduces user errorrelated to the manual transmission of such artifacts, and reduces thetime that the artifacts generated by the information security serviceare not in respective review queue of the assessment entity. Thereby,reducing the time to initiate a review by the assessment entity. Forinstance, in a non-limiting example, the one or more informationsecurity artifacts that are generated based on a first informationsecurity program may be electronically and/or automatically transmittedto one or more target assessment entities using one or more portions(e.g., user interfaces or user interface objects) of the informationsecurity services (e.g., the information security service may transmitan information security artifact in response to at least one user inputselecting an artifact transmittal interface object (not shown) fromentirely within the information security service). Although omitted forconciseness, the preferred embodiments include every combination andpermutation of the implementations of the systems and methods describedherein. The system and methods and variations thereof can be embodiedand/or implemented at least in part as a machine configured to receive acomputer-readable medium storing computer-readable instructions. Theinstructions are preferably executed by computer-executable componentspreferably integrated with the system and one or more portions of theprocessors and/or the controllers. The computer-readable medium can bestored on any suitable computer-readable media such as RAMs, ROMs, flashmemory, EEPROMs, optical devices (CD or DVD), hard drives, floppydrives, or any suitable device. The computer-executable component ispreferably a general or application specific processor, but any hardwareor hardware/firmware combination device can alternatively oradditionally execute the instructions.

We claim:
 1. A method comprising: at a data governance service:receiving, by one or more computers, a request to automatically generatea digital cybersecurity artifact based on submittal-criteria of a targetinformation security standard; and based on receiving the request: (1)automatically identifying, by the one or more computers, a targetcybersecurity program that includes one or more cybersecurity controldata objects; and (2) automatically generating, by the one or morecomputers, the digital cybersecurity artifact based on the one or morecybersecurity control data objects, wherein the digital cybersecurityartifact at least partially satisfies the submittal-criteria of thetarget information security standard
 2. The method of claim 1, furthercomprising: after generating the digital cybersecurity artifact andbased on receiving a second request, automatically transmitting thedigital cybersecurity artifact to a target assessment entity associatedwith the target information security standard.
 3. The method of claim 1,further comprising: after generating the digital cybersecurity artifact:modifying, based on user input, one or more attributes of one of the oneor more cybersecurity control data objects from having a first value tohaving a second value; and generating, by the one or more computers, anupdated cybersecurity artifact that includes installing, by the one ormore computers, the second value of the one of the one or morecybersecurity control data objects at a corresponding portion in theupdated cybersecurity artifact.
 4. The method of claim 1, furthercomprising: before receiving the request to automatically generate thedigital cybersecurity artifact, receiving a second request to upload asecond cybersecurity artifact to the data governance service, whereinthe second cybersecurity artifact at least partially satisfiessubmittal-criteria of a respective information security standard; and inresponse to receiving the second request: automatically creating, by theone or more computers, the target cybersecurity program, whereincreating the target cybersecurity program includes creating the one ormore cybersecurity control data objects based on the secondcybersecurity artifact.
 5. The method of claim 4, further comprising:based on receiving the second request, automatically evaluating thesecond cybersecurity artifact for possible anomalies.
 6. The method ofclaim 5, further comprising: in accordance with a determination that atleast one anomaly exists in the second cybersecurity artifact,displaying a user interface element indicating that the secondcybersecurity artifact includes the at least one anomaly; and inaccordance with a determination that the second cybersecurity artifactdoes not include at least one anomaly, forgoing displaying the userinterface element.
 7. The method of claim 1, wherein: the one or morecybersecurity control data objects includes a first cybersecuritycontrol data object that is associated with a plurality of cybersecurityattributes, a first subset of the plurality of cybersecurity attributescorresponds to the target information security standard, and a secondsubset of the plurality of cybersecurity attributes does not correspondto the target information security standard.
 8. The method of claim 7,wherein: the generating the digital cybersecurity artifact based on theone or more cybersecurity control data objects includes generating thedigital cybersecurity artifact based on the first subset of theplurality of cybersecurity attributes and not based on the second subsetof the plurality of cybersecurity attributes.
 9. The method of claim 1,wherein the one or more cybersecurity control data objects of the targetcybersecurity program includes a first plurality of cybersecuritycontrol data objects that maps to the target information securitystandard and a second plurality of cybersecurity control data objectsthat maps to a second information security standard, distinct from thetarget information security standard.
 10. The method of claim 9, whereinthe generating the digital cybersecurity artifact includes generatingthe digital cybersecurity artifact based on the first plurality ofcybersecurity control data objects and not based on the second pluralityof cybersecurity control data objects.
 11. A method comprising: at acybersecurity governance service: while a first cybersecurity datacatalogue includes a first set of cybersecurity control data objects:after generating, based on the first set of cybersecurity control dataobjects, a first cybersecurity artifact that at least partiallysatisfies submittal-criteria of a first information security standard:modifying, based on a first user input, a first cybersecurity controldata object in the first set of cybersecurity control data objects,wherein modifying the first cybersecurity control data object includesmodifying a first cybersecurity attribute of the first cybersecuritycontrol data object from having a first value to having a second value;and generating, based on a second user input, an updated cybersecurityartifact based on the first set of cybersecurity control data objects,wherein (1) the updated cybersecurity artifact at least partiallysatisfies the submittal-criteria of the first information securitystandard and (2) generating the updated cybersecurity artifact includesinstalling the second value of the first cybersecurity attribute at acorresponding portion in the updated cybersecurity artifact.
 12. Themethod of claim 11, wherein: generating the first cybersecurity artifactincludes installing the first value of the first cybersecurity attributeat a corresponding portion in the first cybersecurity artifact, eachcybersecurity control data object of the first set of cybersecuritycontrol data objects comprises one or more first respectivecybersecurity attributes that correspond to the first informationsecurity standard, and the each cybersecurity control data object of thefirst set of cybersecurity control data objects comprises one or moresecond respective cybersecurity attributes that do not correspond to thefirst information security standard.
 13. A method comprising:displaying, via a first user interface, a cybersecurity artifactgeneration object; while displaying the cybersecurity artifactgeneration object, receiving a first input selecting the cybersecurityartifact generation object; and based on receiving the first input: inaccordance with a determination that the first user interface isdisplaying a characteristic associated with a first cybersecurityprogram, generating, by one or more computers, a first cybersecurityartifact based on one or more cybersecurity control data objects of thefirst cybersecurity program.
 14. The method of claim 13, furthercomprising: while displaying the cybersecurity artifact generationobject: displaying, via the first user interface, one or more distinctselectable representations of at least a subset of the one or morecybersecurity control data objects.
 15. The method of claim 13, furthercomprising: while displaying the cybersecurity artifact generationobject: displaying, via the first user interface, a metric thatindicates a numerical quantity of cybersecurity control data objectsthat is available to use when generating the first cybersecurityartifact.
 16. The method of claim 13, further comprising: automaticallyupdating, by the one or more computers, one or more attribute values ofthe one or more cybersecurity control data objects based on receiving anupdated cybersecurity artifact.
 17. The method of claim 13, wherein (1)the first cybersecurity program includes a first subset of cybersecuritycontrol data objects and a second subset of cybersecurity control dataobjects and (2) generating the first cybersecurity artifact is not basedon the second subset of cybersecurity control data objects, the methodfurther comprising: in accordance with a determination that one or morecriteria are satisfied, generating a second cybersecurity artifact basedon the first subset and the second subset of cybersecurity control dataobjects.
 18. The method of claim 17, wherein the first cybersecurityartifact corresponds to a first information security standard and thesecond cybersecurity artifact corresponds to a second informationsecurity standard, different from the first information securitystandard.
 19. The method of claim 13, further comprising: aftergenerating the first cybersecurity artifact: in accordance with adetermination that one or more criteria is satisfied, automaticallytransmitting the first cybersecurity artifact to a target assessmententity associated with the target information security standard.
 20. Themethod of claim 13, further comprising: receiving a second inputcorresponding to a request to upload a second cybersecurity artifactassociated with a first information security standard, and based onreceiving the second input: creating the first cybersecurity program,wherein creating the first cybersecurity program includes creating theone or more cybersecurity control data objects and digitally mapping theone or more cybersecurity control data objects to one or more objectivesof the first information security standard.